Hi, > Note that as long as one CA does not validate, DNSSEC is not a > sufficient defense, you need DANE as well (otherwise the attacker will > go to another CA). or CAA records. Kind regards, Volker