In message <a123a5d60906111838t460ca168l9cf797a486ec1cf1@xxxxxxxxxxxxxx>, Phill ip Hallam-Baker writes: > So we have totally abandoned the idea of doing DNSSEC in the end point clie= > nt? No. Recursive nameserver need to validate the answers returned from the DNS for their own uses. This doesn't preclude other applications also validating answers. Having recursive nameserver validate answers is not the end point in DNSSEC deployment. It's just a good first step which is good enough is some operational envionments. There are however lots of operational envioronments where this would not be good enough and the validation really needs to be performed in the application. For your light switch example a validating recursive resolver is probably all you need. For laptops you most probably want to move the validation onto the laptop either in the application or by a running a validation recursive nameserver on the laptop which may or may not use the nameservers in the DHCP response as forwarders. I do this today. > Trust roots have to be valid for at least a decade to be acceptable to > the application vendor community. That's a unproved assumption. > And even though the current model of network administration is to > constantly fiddle with everything, I think that is going to have to > stop. Lots companies already use private roots. Equipment manufactures are not going to build equipment that can't be used by those markets. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf