Sept. 21, 2018
3:46 p.m.
ray> What about the (hypothetical?) home CPE with a validating resolver ray> that's been left on the shelf for a couple of years. ray> RFC 5011 doesn't help those. AFAIK, re-bootstrapping trust for ray> those is still an unsolved problem. If said CPE has 2 year old OS/firmware, DNSSEC validation is the least of the problems it causes if the vendor hasn't figured out how to do sane/clean updates automatically. Keeping it from being usefully connected to the internet might be considered a public service. ;)