[dns-operations] TLD .law - non-signing KSK with referenced DS

[Daniel Stirnimann]

> PowerDNS Recursor used to ignore SHA-256 records in the face of
> SHA-384 records, but this was considered a bug and recently fixed. [3]
> I don't know if any other resolvers behave the same way. It would be
> prudent not to chance it.

We were recently made aware of a .ch domain which rolled the keys and
triggered this bug. Akamai CacheServe is also affected. The issue is
being fixed there as well. So I second your recommendation for the time
being.

Daniel