US government mandates? use of DNSSEC by federal agencies

Steven M. Bellovin smb at
Wed Aug 27 12:13:42 CDT 2008

On Wed, 27 Aug 2008 09:53:26 -0700
"Kevin Oberman" <oberman at> wrote:

> > 
> > So the question I have is... will operators (ISP, etc) turn on
> > DNSsec checking? Or a more basic question of whether you even
> > _could_ turn on checking if you were so inclined?
> As far as I can see, at least with bind-9.5, operators would have to
> turn it off. It looks to me like dnssec-validation defaults to on. It
> also appears that bind-9.4 defaults to 'off'. 

Right.  The real questions are the clients and the trust anchor -- what
root key do you support?

		--Steve Bellovin,

More information about the NANOG mailing list