In message <20081126175013.94E2828C161@xxxxxxxxxxxxxx>, Russ Housley writes: > I have been approached about a plenary experiment regarding > DNSSEC. The idea is for everyone to try using DNSSEC-enabled clients > during the plenary session. I like the idea. What do others think? > > Russ > > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf The first thing we should address is the lack of signed zones under the control of the IETF. ; <<>> DiG 9.3.5-P2 <<>> dnskey ietf.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29574 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ietf.org. IN DNSKEY ;; AUTHORITY SECTION: ietf.org. 7200 IN SOA ns0.ietf.org. glen.amsl.com. 1200000073 1800 1800 604800 7200 ;; Query time: 344 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Nov 27 10:06:43 2008 ;; MSG SIZE rcvd: 79 Secondly we should just turn on DNSSEC validation on the recursive servers offered by DHCP and RAs. This should be on for the entire week. This is what we are asking ISP's to do and I see no reason why we shouldn't do the same. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf