From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dave.taht@gmail.com>
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com
	[IPv6:2a00:1450:400c:c05::22a])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id C942B21F15E
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sat, 12 Apr 2014 21:26:24 -0700 (PDT)
Received: by mail-wi0-f170.google.com with SMTP id bs8so4100361wib.5
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sat, 12 Apr 2014 21:26:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:date:message-id:subject:from:to:content-type
	:content-transfer-encoding;
	bh=9XFaXwe9c/Dgg3YJAzVQLZn2EafcKbBwr3i6LIefDmY=;
	b=ADAyxAnZbgFZ7jPWfFQ/M3i+p5LZITVsrVBh9RPn+eIr3j3+XBeTKVU9SB8P9OhsSO
	NKJwxQz/XOrLr6vdJmrgm6ZHWXyKTMfviLcLsOwAa34jF2WHHCGJ/oyVKCdbo8rtb61r
	0mJ4FpXM9DFMqmQsDOrZfCRV2GJAasF+Qo+3MAtHj3eOVtMnUlvAUyAL3ZwMHAhklgYE
	uN5eop3T+4g3cHnnlxAn9rHGOcSk8DWgxiGbPDMuryYvk3Pu2Hx9ev4GyoTUOyl5070v
	i3uU39/IzRXs6i2NXTJR8SerloDOEXVyKxxRH3Z0SGrZOPRLoScJ0/SEHZ8XHNVbp2Y3
	adxw==
MIME-Version: 1.0
X-Received: by 10.180.76.244 with SMTP id n20mr4401184wiw.17.1397363183060;
	Sat, 12 Apr 2014 21:26:23 -0700 (PDT)
Received: by 10.216.177.10 with HTTP; Sat, 12 Apr 2014 21:26:23 -0700 (PDT)
Date: Sat, 12 Apr 2014 21:26:23 -0700
Message-ID: <CAA93jw41jCuc2UN0rB6WQdVz2qzOtEcoCS-Pm6czwLDU59uXqA@mail.gmail.com>
From: Dave Taht <dave.taht@gmail.com>
To: "cerowrt-devel@lists.bufferbloat.net" <cerowrt-devel@lists.bufferbloat.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: [Cerowrt-devel] Full blown DNSSEC by default?
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sun, 13 Apr 2014 04:26:25 -0000

I am delighted that we have the capability now to do dnssec.

I am not surprised that various domain name holders are doing it
wrong, nor that some ISPs and registrars don't support doing it
either. We are first past the post here, and kind of have to expect
some bugs...

but is the overall sense here:

A) we should do full dnssec by default, and encourage users to use
open dns resolvers like google dns that support it when their ISPs
don't?

B) or should we fall back to the previous partial dnssec
implementation that didn't break as hard, and encourage folk to turn
it up full blast if supported correctly by the upstream ISP?

C) or come up with a way of detecting a broken upstream and falling
back to a public open resolver?

Is there a "D"?

--=20
Dave T=E4ht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_=
indecent.article