I was talking about this in the halls at Vancouver.

My idea was to have a GLUESIG to cover delegating NS and
address records. This would cover the gap we currently
have in that not all data entered into a signed zone can
be cryptographically verified when it is received.

This would prevent resolvers being lead astray by being
given forged NS / A / AAAA RRsets. The model would be
verify before following rather than follow and hope that
you get something that can be validated.

Not having this is not a show stopper, but it is something
we should work on fixing.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.