On Jun 20, 2013 5:31 PM, "Randy Bush" <ra...@psg.com> wrote: > and dnssec did not save us. is there anything which could have?
Hmmm. DNSSEC wouldn't have prevented an outage. But from everything I've seen reported, had the zones been signed, validating recursive resolvers (comcast, google, much of federal government, mine) would have returned servfail and would not have cached the bad nameservers in their good cache. Users would have simply failed to connect instead of being sent to the wrong page and recovery would have been quicker and easier. From my perspective as someone responsible for DNS at a fairly large enterprise, that would have been preferable. But then, the zones for which I'm responsible are signed. YMMV, Scott
