On Mon, Apr 19, 2010 at 05:06:39PM +0100, George Barwood wrote: > It seems to me that DNSKEY RRsets should only be signed with the keys that > are designated as secure entry points, that is keys with bit 15 set : DNSKEY Flags field = 257. That is explicitly denied by the RFCs. A -- Andrew Sullivan ajs at shinkuro.com Shinkuro, Inc.