Theodore Ts'o <tytso@xxxxxxx> wrote: > Speaking of which, Jim Gettys was trying to tell me yesterday that > BIND refuses to do DNSSEC lookups until the endpoint client has > generated a certificate. That is wrong. DNSSEC validation affects a whole view - i.e. it is effectively global. Clients can request DNSSEC records or not, regardless of whether they do any transaction security. Clients can do DNSSEC validation without any private keys. Tony. -- f.anthony.n.finch <dot@xxxxxxxx> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.