On Wed, 24 Jun 2009, Florian Weimer wrote: > A DS/DNSKEY mismatch should really, really trigger a refetch of the > DNSKEY. Which also implies a refetch of the DS at the parent. Indeed, this would help contain the damage a malicious losing Registar/DNS operator can do by setting insane TTL's and what not. Paul