On Mon, Jul 13, 2015 at 02:36:18PM -0400, Sam Hartman wrote: > I have never been convinced that DNSsec validation of A or AAAA records > has value. I understand I am a heretic in the security community for > saying that, but there it is. I'm inclined to agree that the value is marginal. In the DANE SMTP draft, validation of A/AAAA records is used only as a "probe" to detect unsigned zones, so that one can avoid sending TLSA queries to such zones (where misconfigured firewalls or buggy nameservers are prone to mishandle all but the most common DNS RRtypes). The validation status of address records is otherwise ignored. Forging IP address records in DNS is rather tamper-evident. It is far more attractive to attack BGP, and MiTM or just monitor the traffic transparently. -- Viktor.