On Mon, Sep 22, 2008 at 8:16 AM, Jason Frisvold <xenophage0@gmail.com> wrote:
On Mon, Sep 22, 2008 at 11:02 AM, Chris Owen <owenc@hubris.net> wrote:
Chicken, meet egg.
I think the point of the original post is that one end or the other has to start things. At least we have one US zone doing something on the server end of things.
Oh, agreed, absolutely. And it's great to see. However, neither the slashdot blurb, nor the NetworkWorld article mention that without a valid resolver, there is no guarantee of security. Sure, they mention that vendors are rolling it out and that ISPs should be following suit, but no mention is made of the end-user's resolver at all...
the NetworkWorld article (in the printer-friendly version, at least) has a little table that shows the DNSSEC status of the major vendors. And support in the resolver library is not strictly necessary, as long as you trust _your_ (or your ISP's) nameservers. (not to say that it isn't a good idea, just that it's not requirement for initial rollout.) -- darkuncle@{gmail.com,darkuncle.net} || 0x5537F527 http://darkuncle.net/pubkey.asc for public key