letoams
commented
4 years ago rewritten as:
This document introduces a new DNSKEY flag called DELEGATION_ONLY. When this flag is set on a DNSKEY that is a trust anchor with a corresponding DS record at its parent, the zone commits to only produce Authoritative Answers for the apex (and _underscore label) records.
and:
There might be multiple DNSKEY records that are suitable to act as a trustanchor for a zone.
We've repeatedly said the SEP bit is for operational clarity and not part of this validation algorithm, yet this doc implies making validation decisions based on it. Take that out.