In message <146102.1315769...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu writes: > (*) Has anybody actually enabled "only accept DNSSEC-signed A records" > on an end user system and left it enabled for more than a day before > giving up in disgust? ;)
No. But I run with "reject anything that doesn't validate" and have for several years now and that doesn't suck. We will never be in a world where all DNS records validate unless we do DNSng and that DNSng requires that all answers be signed. Except as a academic exercise, I would never expect anyone would configure a validator to require that all answers validate as secure. DNSSEC gives you "provable secure", "provable insecure" and "bogus". Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org