Joe:
I think you missed my point. In a PKI, when the issuer significantly
changes the policy, subsequent certificates have a different policy
identifier. I do not see a similar concept here.
You're right, I did miss your point, quite thoroughly :-)
I am guessing that the answer is that there's no corresponding facility in
DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say
that largely ignorant of X.509 and attendant CA policy and hence perhaps am
still misunderstanding what you're looking for.
So a DNSSEC signer starts under one set of documents, and then for whatever
reason, the policy changes and the parties validating the signature have no
means to determine that the signer is following a new policy. So I am missing
the value of the policy to the parties that rely on these signatures.
Russ