Mark Delany wrote:
policy/practice/(petunia?) records. The choice of whether to use a new
RR or a TXT key record should be retrieved is something that can be
represented in the signature (the query type, q=, tag has been suggested
which makes sense).
As a practical matter, I don't see how this can actually work to
eliminate the DKK then TXT sequence because you don't know the
capabilities of the verifiers. Can they fetch DKK? No one knows.
1. signers MUST have a TXT and SHOULD have a new RR.
2. signers using RR indicate this with q=<newRR>.
3. verifiers that see q=<newRR> SHOULD query for that RR but MAY query for the
Single query, no matter what the situation. No failures, so no fallbacks.
The only risk is having a verifier that does not know whether their DNS client
code can support the new RR. Seems a trivial configuration option.
NOTE WELL: This list operates according to