On Sat, Jul 26, 2008 at 01:14:08AM +0200,
Roy Arends wrote
a message of 28 lines which said:

> When a validator has a trust anchor configured for root, it _expects_
> signatures for root.


Which means there is no way back? If we sign ".fr", and people start
to configure the trust anchor for ".fr" in their validating resolvers,
we can no longer revert to the original, non-signed, system, should
problems occur?

Am I correct? AFAIK, DNSSEC has no way to express policies (in a
RFC5016-like way) such as "should be signed".


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: