DNSSEC status update
DS and OPT-IN
- DS: delegation signer
- Special RR to delegate authority published and signed by the parent
- DS reduces the amount of key exchange interactions
- OPT-IN: Optionally exclude parts of the zone from signing
- Reduces the final zone size: Important for deployment in .com zone
- Loss of authenticated denial in parts of the zone on which opt-in is deployed
- Both DS and OPT-IN are not compatible with the current RFC2535 specs