> So, as per the replies we've read, it seems that the only way to > implement DNSSEC would be to first check if it works, and if it doesn't, > fallback to the locally provided recursive DNS server.
I still think a switch on/off (whatever the default) should be considered because if anyone decides to depend on the (limited) trust but trust all the same that DNSSEC provides then the fact that it falls back to an untrusted mechanism when it can be easily DOS'd may lead to a false sense of security which is worse than no security. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd _______________________________________________________________________ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/225587.90830...@smtp146.mail.ir2.yahoo.com
