I am delighted that we have the capability now to do dnssec. I am not surprised that various domain name holders are doing it wrong, nor that some ISPs and registrars don't support doing it either. We are first past the post here, and kind of have to expect some bugs...
but is the overall sense here: A) we should do full dnssec by default, and encourage users to use open dns resolvers like google dns that support it when their ISPs don't? B) or should we fall back to the previous partial dnssec implementation that didn't break as hard, and encourage folk to turn it up full blast if supported correctly by the upstream ISP? C) or come up with a way of detecting a broken upstream and falling back to a public open resolver? Is there a "D"? -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
