+1. For now, just adding the managed-keys section should be a big step forward.
A nice way to test this is to look up www.dnssec-failed.org. If you get NXDOMAIN, dnssec validation is working, otherwise it isn't.: Good: $ host www.dnssec-failed.org Host www.dnssec-failed.org not found: 3(NXDOMAIN) Bad: $ host www.dnssec-failed.org www.dnssec-failed.org has address 68.87.64.48 -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org