I think one of the things that concerns me most with Google validating and jumping on the DNS "open resolver" bandwagon is that it'll force more folks (ISPs, enterprises and end users alike) to leave DNS resolver IP access wide open. Malware already commonly changes DNS resolver settings to rogue resolvers, and removes otherwise resident malcode from the end system to avoid detection by AV and the like. One of the primary recommendations I give to enterprises is to force use of internal resolvers, and log all other attempted DNS resolution queries elsewhere, it's a quick way to detect some compromised systems. My personal recommendation is that ISPs do the same, but that's where network neutrality issues enter the picture. Of course, some of the DNS NXDOMAIN and similar "synthesis" they've been performing may perturb some users, and hence Google's service (and _many before) are presumably welcomed by casual (or expert) end users. So, DNSSEC deployment finally gets close (with validation models mostly just to the resolver) -- primarily to deal with DNS data integrity issues in the infrastructure - yet compromised end systems are simply configured to use rogue resolvers, obviating much of the benefit of the added complexity DNSSEC brings, with "dumb pipe" providers simply enabling the now nefarious transactions.. And this concern is entirely orthogonal of all the issues that arise once Google (and everyone else) decide that _overriding application-level DNS settings (e.g., for Chrome) are perfectly reasonable -- not to mention the value they find in operation of DNS infrastructure from a data mining (e.g., NXDOMAIN data == marketing intelligence/$$) that many other folks have long ago realized... -danny