In message <146102.1315769526@turing-police.cc.vt.edu>, Valdis.Kletnieks@vt.edu writes:
(*) Has anybody actually enabled "only accept DNSSEC-signed A records" on an end user system and left it enabled for more than a day before giving up in disgust? ;)
No. But I run with "reject anything that doesn't validate" and have for several years now and that doesn't suck. We will never be in a world where all DNS records validate unless we do DNSng and that DNSng requires that all answers be signed. Except as a academic exercise, I would never expect anyone would configure a validator to require that all answers validate as secure. DNSSEC gives you "provable secure", "provable insecure" and "bogus". Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org