On 14 apr 2012, at 01:50, Mark Andrews <ma...@isc.org> wrote: > What one needs to do is validate answers from one's own zones > internally as well as answers from the rest of the world.
Unfortunately too many of the broken zones we have in Sweden are the ones where split DNS is in use and the external zone is broken while internal one is not signed at all. Not until Microsoft do have full working support for DNSSEC (which is coming now...) this will be resolved, and then many more zones will be signed. But, as soon as someone actually go to the home page of a city, it will fail as large ISPs do validate in Sweden. Next step is that a complaint is to be filed and the problem solved. Unfortunately this process is often repeated next time there is key roll over unless the city start having interesting stuff on their web site... :-P Patrik _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop