On 25 Sep 2010, at 01:16, John Levine <johnl@xxxxxxxx> wrote: > > Plan C: Sophisticated ISPs might configure their own DNSSEC key into > customer resolvers, and sign replacement records with that. DNSSEC's validation model makes this basically impossible. The customer resolvers would have to know ahead of time which names will be overridden by their ISP and so may be validated by the extra trust anchor. Plan D: ISPs that want to block the DNS for evil domains just return a server failure response for the appropriate queries. See also Paul Vixie's RPZ proposal. Tony. -- f.anthony.n.finch <dot@xxxxxxxx> http://dotat.at/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf