On 2012-07-18, at 11:49, Russ Housley wrote:
So a DNSSEC signer starts under one set of documents, and then for whatever
reason, the policy changes and the parties validating the signature have no
means to determine that the signer is following a new policy.
They have means, they just don't have a way of deriving a specific policy from
a specific DNSKEY. The available means are documented in the DPS.
So I am missing the value of the policy to the parties that rely on these
signatures.
Your suggestion is that if there's no way to the policy just from the contents
of a DNSKEY RR, there's no point publishing a policy at all?
Joe