On Thu, Sep 12, 2013 at 04:46:01PM +0000, Ted Lemon wrote: > > The model for this sort of validation is really not on a per-client > basis, but rather depends on routine cross-validation by various > DNSSEC operators throughout the network. This will not necessarily > catch a really focused attack, so it's not a panacea, but it would > limit the scope of the threat for this sort of attack. Fair enough, but if the goal is to prevent pervasive surveillance, simply using a key exchange which provides perfect forward secrecy will do that, even given the pathetic state of https security given the realities of the web and the CA's out there. Still, I agree with the general precept that perfect should not enemy of the better, and DNSSEC certainly adds value. I just get worried about people who seem to think that DNSSEC is a panacea. - Ted