Mark, > On Nov 13, 2015, at 4:18 PM, Mark Andrews <ma...@isc.org> wrote: >> How many of the ISPs would continue to enable DNSSEC if the >> cops show up at their door and turning off DNSSEC is the only way the ISP >> has to implement the law's requirements? > > Why would the ISP's turn off DNSSEC? It doesn't prevent them sending back > NXDOMAIN. The clients will validate or not. If they validate they will > get a validation failure. If they don't them the NXDOMAIN will be accepted.
My point was that folks at ISPs tend to prefer not to be thrown in jail. > Apple just adds a validator to their stub resolver and installs a root > trust anchor. Love that plan. Let me know when you've convinced Apple to "just" add a validator to IOS (I'm assuming IOS doesn't currently have that capability). > This really isn't conceptually different to how they manage > CA's. My point was that the vast majority of those affected by this would likely not be in a position to install a validating resolver on their device. Regards, -drc
signature.asc
Description: Message signed with OpenPGP using GPGMail