> Well, OK. I can live with MUST NOT have colliding key tags if we > also have MUST NOT have invalid RRSIGs. > > PS: Not that I expect anyone to enforce either of them any time > soon.
I'm not aware of any part of the DNSSEC standards, key rolls, operational practice, etc. that leads to invalid RRSIGs. So from a standards point of view, MUST NOT have invalid RRSIGs seems fine. Obviously things can break. In that case it is fine if a resolver returns SERVFAIL. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
