On Fri, Sep 06, 2013 at 03:26:42PM +0100, Tony Finch wrote: > Theodore Ts'o <tytso@xxxxxxx> wrote: > > > Speaking of which, Jim Gettys was trying to tell me yesterday that > > BIND refuses to do DNSSEC lookups until the endpoint client has > > generated a certificate. > > That is wrong. DNSSEC validation affects a whole view - i.e. it is > effectively global. > > Clients can request DNSSEC records or not, regardless of whether they do > any transaction security. Clients can do DNSSEC validation without any > private keys. That's what I hoped, thanks. - Ted