----- Original Message ----- > From: "Matt Larson" <mlar...@verisign.com>
> The new KSK will not be published in an authenticated manner outside > DNS (e.g., on an SSL-protected web page). Rather, the intended > mechanism for trusting the new KSK is via the signed root zone: DS > records corresponding to the new KSK are already present in the root > zone. That sounds like a policy decision... and I'm not sure I think it sounds like a *good* policy decision, but since no reasons were provided, it's difficult to tell. Why was that decision taken, Matt? Cheers, -- jra