Oct. 12, 2014
6:49 p.m.
On 10 okt 2014, at 18:49, Michael StJohns <msj@nthpermutation.com> wrote:
Not exactly. By convention we split ZSK and KSK duties, but that's not actually enforced by the resolver.
Sure, but it is enforced by the current RZ key management process. ICANN can not sign an arbitrary RRset unless several key components are modified, including the DPS and the software used for signing. jakob