On Fri, Sep 06, 2013 at 03:26:42PM +0100, Tony Finch wrote:
> Theodore Ts'o <ty...@mit.edu> wrote:
>
> > Speaking of which, Jim Gettys was trying to tell me yesterday that
> > BIND refuses to do DNSSEC lookups until the endpoint client has
> > generated a certificate.
>
> That is wrong. DNSSEC validation affects a whole view - i.e. it is
> effectively global.
>
> Clients can request DNSSEC records or not, regardless of whether they do
> any transaction security. Clients can do DNSSEC validation without any
> private keys.
That's what I hoped, thanks.
- Ted
