----- Original Message -----
From: "Florian Weimer" <fw@deneb.enyo.de>
That sounds like a policy decision... and I'm not sure I think it sounds like a *good* policy decision, but since no reasons were provided, it's difficult to tell.
I don't know if it influenced the policy decision, but as it is currently specified, the protocol ensures that configuring an additional trust anchor never decreases availability when you've also got the root trust anchor configured, it can only increase it. This means that there is little reason to configure such a trust anchor, especially in the present scenario.
Not being a DNSSEC maven, the idea that there was no out-of-band way to confirm what the in-band method was telling you seemed bad to me; Matt's explanation, OTOH, seems sensible. Cheers, -- jra