[Cerowrt-devel] Full blown DNSSEC by default?

Dave Taht dave.taht at gmail.com
Sun Apr 13 00:26:23 EDT 2014

I am delighted that we have the capability now to do dnssec.

I am not surprised that various domain name holders are doing it
wrong, nor that some ISPs and registrars don't support doing it
either. We are first past the post here, and kind of have to expect
some bugs...

but is the overall sense here:

A) we should do full dnssec by default, and encourage users to use
open dns resolvers like google dns that support it when their ISPs

B) or should we fall back to the previous partial dnssec
implementation that didn't break as hard, and encourage folk to turn
it up full blast if supported correctly by the upstream ISP?

C) or come up with a way of detecting a broken upstream and falling
back to a public open resolver?

Is there a "D"?

Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article

More information about the Cerowrt-devel mailing list