>
> The end-stage is secure only if at that stage you also set all DNS
> infrastructure to refuse to talk to any DNS client/server/resolver that DOES
> NOT validate and enforce DNSSEC. Up until that point in time, there is NO
> CHANGE in the security posture from what we have today with no DNSSEC
> whatsoever.
>
> To hold forth otherwise is to participate in deliberate fraud and
> misrepresentation of material facts.
>
>
so you are a "fail/closed" proponent.
a fail/open approach would have failure of DNSSEC-based validation
behave
just like the DNS of today. The use of Trust Anchors and signed
"islands"
allow one to find "golden threads" of validated chains in the dns
fabric ...
e.g. incremental rollout vs flag day.
--bill
