This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-20--192642210
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed



>
> In other words, a DNSSEC signature algorithm present at an island
> of security is recursively mandated (except for temporary
> mismatches in DNS consistency) to secure child zones.
>


No that is a wrong interpretation. The catch is in the "by each
algorithm appearing in the DS RRset " part. So the algorithm field in
the DS can point to "new" algorithms and you are not tied to one
single algorithm recursively down the tree.


As an example consider this:

@origin example.
example DNSKEY algo=RSASHA1 KSK id=1
example DNSKEY algo=RSASHA1 ZSK id=2
example RRSIG id=2



foo.example. DS algo=CRYPTSAM hash=deadbeef
foo.example. RRSIG id=1





@originin foo.example
foo.example DNSKEY algo=CRYPTSAM KSK id=5
foo.example DNSKEY algo=CRYPTSAM ZSK id=6
foo.example RRSIG id=6

etc etc


--Olaf


-----------------------------------------------------------
Olaf M. Kolkman
NLnet Labs
http://www.nlnetlabs.nl/




--Apple-Mail-20--192642210
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: This message is locally signed.

iD8DBQFEJ/rTtN/ca3YJIocRAq5dAJ9JCvC1jQqnEEVW8rd2yL7vf0d9FACgpsx0
lMotZX/+1dkR+BBkXGF6b74=
=jbxH
-----END PGP SIGNATURE-----

--Apple-Mail-20--192642210--

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: