Mark,

> On Nov 13, 2015, at 4:18 PM, Mark Andrews <ma...@isc.org> wrote:
>> How many of the ISPs would continue to enable DNSSEC if the
>> cops show up at their door and turning off DNSSEC is the only way the ISP
>> has to implement the law's requirements?
> 
> Why would the ISP's turn off DNSSEC?  It doesn't prevent them sending back
> NXDOMAIN.  The clients will validate or not.  If they validate they will
> get a validation failure.  If they don't them the NXDOMAIN will be accepted.

My point was that folks at ISPs tend to prefer not to be thrown in jail.

> Apple just adds a validator to their stub resolver and installs a root
> trust anchor.

Love that plan. Let me know when you've convinced Apple to "just" add a 
validator to IOS (I'm assuming IOS doesn't currently have that capability).

> This really isn't conceptually different to how they manage
> CA's.

My point was that the vast majority of those affected by this would likely not 
be in a position to install a validating resolver on their device.

Regards,
-drc

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply via email to