This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

> In other words, a DNSSEC signature algorithm present at an island
> of security is recursively mandated (except for temporary
> mismatches in DNS consistency) to secure child zones.

No that is a wrong interpretation. The catch is in the "by each
algorithm appearing in the DS RRset " part. So the algorithm field in
the DS can point to "new" algorithms and you are not tied to one
single algorithm recursively down the tree.

As an example consider this:

@origin example.
example DNSKEY algo=RSASHA1 KSK id=1
example DNSKEY algo=RSASHA1 ZSK id=2
example RRSIG id=2

foo.example. DS algo=CRYPTSAM hash=deadbeef
foo.example. RRSIG id=1

@originin foo.example
foo.example DNSKEY algo=CRYPTSAM KSK id=5
foo.example DNSKEY algo=CRYPTSAM ZSK id=6
foo.example RRSIG id=6

etc etc


Olaf M. Kolkman
NLnet Labs

content-type: application/pgp-signature; x-mac-type=70674453;
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

Version: GnuPG v1.4.1 (Darwin)
Comment: This message is locally signed.



to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.