On 2012-07-18, at 11:49, Russ Housley wrote: > So a DNSSEC signer starts under one set of documents, and then for whatever reason, the policy changes and the parties validating the signature have no means to determine that the signer is following a new policy. They have means, they just don't have a way of deriving a specific policy from a specific DNSKEY. The available means are documented in the DPS. > So I am missing the value of the policy to the parties that rely on these signatures. Your suggestion is that if there's no way to the policy just from the contents of a DNSKEY RR, there's no point publishing a policy at all? Joe