Florian Weimer wrote: > * Jason Frisvold: > >> On Mon, Sep 22, 2008 at 10:34 AM, Scott Francis <[EMAIL PROTECTED]> wrote: >>> nice to see a wholesale DNSSEC rollout underway (I must confess to being a >>> little surprised at the source, too!). Granted, it's a much more manageable >>> problem set than, say, .com - but if one US-controlled TLD can do it, hope >>> is buoyed for a .com rollout sooner rather than later (although probably not >>> much sooner :)). >> I'm not much up on DNSSEC, but don't you need to be using a resolver >> that recognizes DNSSEC in order for this to be useful? > > Correct, you need a validating, security-aware stub resolver, or the > ISP needs to validate the records for you. >
In public space like .com, don't you need some kind of central trustworthy CA?