[dns-operations] Implementation of negative trust anchors?

Phil Regnauld regnauld at nsrc.org
Fri Aug 23 12:59:45 UTC 2013


Daniel Kalchev (daniel) writes:
> 
> DNSSEC is not some magical technology that just solves "the problems".
> 
> On this, I am with Doug, that "if there is a high price for doing it
> wrong less people will do it wrong".
	
	Couple more things. a) Local policy allows you not to enable validation
	*at all* in the first place. b) Validating caching resolvers will be
	around for many more years, but if you can, validate on the client/
	application. The closer, the better. If we stop at the current state
	of things, we haven't done our job. If NTAs help, so be it.




More information about the dns-operations mailing list