Hi Russ, On 2012-07-17, at 19:06, Russ Housley wrote: > I think you missed my point. In a PKI, when the issuer significantly changes the policy, subsequent certificates have a different policy identifier. I do not see a similar concept here. You're right, I did miss your point, quite thoroughly :-) I am guessing that the answer is that there's no corresponding facility in DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say that largely ignorant of X.509 and attendant CA policy and hence perhaps am still misunderstanding what you're looking for. Joe