In message <968c470dac25fb419e0159952f28f0c06df65...@mem0200cp3xf04.ds.irsnet.gov>, Morizot Timothy S writes: > > DNSSEC validation is not a panacea, but if you refuse to implement it you > are denying your users one layer of protection you could pretty easily > provide. And given that in the US the large majority of federal agency > DNS authoritative zones are signed, you also can't claim there's no > benefit to the US public from validation. Implementing validation on > recursive nameservers does not protect users from every attack. Nothing > does. Nor is it as good as performing validation at the client. But it is > a solid first step with real security benefits. And it's a step that can > be followed and built upon with further enhancements later.
And validating in the recursive server is required for DNSSEC to work reliably when the client is validating as it doesn't talk directly to the authoritative servers. Turning on DNSSEC validation in the recursive servers is the first step in turning on validation in the client. > Scott -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
