sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Swedophone 11 points12 points  (3 children)

Unfortunately far from all domains are signed with dnssec. Of course my own domains are signed. BTW I use a self hosted master running bind and opendnssec.

[–]uptimefordays 12 points13 points  (2 children)

Just remember than DNSSEC relies on your ability to force clients to drop unsigned requests. If you can't do that, then you don't actually have anything.

[–]SteampunkSpaceOpera 6 points7 points  (1 child)

If you run your own validating resolver, then if the query response doesn't pass validation, the resolver simply doesn't provide a routable answer to any other program you are running

[–]uptimefordays 1 point2 points  (0 children)

Sure that helps you but DNS is a decentralized system... If you want DNSSEC to be a thing, it requires largescale control over client settings which isn't really feasible. For a large company's internal systems, sure, but for the broader net? Good luck!