# > dnssec only signs authority data. glue is (by definition) not authority
# > data.
# not authority data for the zone in question. it is authority
# data for some part of the heirarchy tho...

in principle, then, a referring server could fetch, validate, and transmit
the covering RRSIGs for any out-of-bailiwick glue it wants to hand out?

# > according to (drum roll, please) "local policy".
# yes, yes... the presumption of fully signed heirarchy and/or locally
# maintained TA's... Is that -ALL- there is for choice?

the decision was made about a decade ago to force trust to follow delegation.
while it'd be a nicer security market if anybody could sign anybody else's key,
that's not what we ended up deciding.

# > because we have to stop adding requirements some day. let's start now?
# er... because we have to stop is not, IMHO, a credible reason.

if you think endless design and redesign and requirement change is credible,
then i want some of whatever funding YOU'RE smoking. (mine isn't like that.)

# or are you sugestting that this is such a fundamental change, that
# we would have to scrap what has been done to add/integrate this
# spiffy chromed hood ornement to the DNSSEC funny car?
# or, are you concerned that DNSSEC will never gain adoption as long
# as there are suggested changed, modifications, additions, tweeks,
# etc. being proposed? Kind of like the DNS will never gain adoption
# until people stop trying to add, change, modify or tweek it?

i'm suggesting that we have to call it deployable, and deploy it, and then we
can go right on changing it. just like was done with dns, which was a total
trainwreck when deployed, by today's lofty standards.

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.