Mike Jones <mike@mikejones.in> wrote:
DNSSEC deployment is advanced enough now to do that automatically at the client.
Sadly not quite. DNSSEC does have the potential to provide an alternative public key infrastructure, and I'm keen to see that happen. But although it works well between authoritative servers and recursive resolvers, there are a lot of shitty DNS forwardersin CPE and captive portals and so on which do not understand DNSSEC. And DNSSEC does not work unless all the forwarders and recursors that you are using support it. So DNSSEC on the client has a long way to go. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Hebrides, Southeast Bailey: Westerly 5 to 7 until later in south Hebrides, otherwise northwesterly 3 or 4, increasing 5 to 7. Rough or very rough, occasionally high in south Hebrides. Rain or showers. Good, occasionally poor.