Mark,
On Nov 13, 2015, at 4:18 PM, Mark Andrews <marka@isc.org> wrote:
How many of the ISPs would continue to enable DNSSEC if the cops show up at their door and turning off DNSSEC is the only way the ISP has to implement the law's requirements?
Why would the ISP's turn off DNSSEC? It doesn't prevent them sending back NXDOMAIN. The clients will validate or not. If they validate they will get a validation failure. If they don't them the NXDOMAIN will be accepted.
My point was that folks at ISPs tend to prefer not to be thrown in jail.
Apple just adds a validator to their stub resolver and installs a root trust anchor.
Love that plan. Let me know when you've convinced Apple to "just" add a validator to IOS (I'm assuming IOS doesn't currently have that capability).
This really isn't conceptually different to how they manage CA's.
My point was that the vast majority of those affected by this would likely not be in a position to install a validating resolver on their device. Regards, -drc