>>> RFC5155 says, on page 32, "zone signing tools SHOULD NOT default to using >>> opt-out". But in trunk/OpenDNSSEC/conf/kasp.xml.in we turn opt-out on... >>> Should we comment this tag out? >> >> >> Yes... > > +1 And... +1 here too. Please also add a remark in kasp.xml, referring to RFC5155. Well spotted btw! -- Marco