Joe: >> I think you missed my point. In a PKI, when the issuer significantly changes the policy, subsequent certificates have a different policy identifier. I do not see a similar concept here. > > You're right, I did miss your point, quite thoroughly :-) > > I am guessing that the answer is that there's no corresponding facility in DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say that largely ignorant of X.509 and attendant CA policy and hence perhaps am still misunderstanding what you're looking for. So a DNSSEC signer starts under one set of documents, and then for whatever reason, the policy changes and the parties validating the signature have no means to determine that the signer is following a new policy. So I am missing the value of the policy to the parties that rely on these signatures. Russ