* Colin Alston: >> Correct, you need a validating, security-aware stub resolver, or the >> ISP needs to validate the records for you.
> In public space like .com, don't you need some kind of central > trustworthy CA? No, why would you? You need to trust the zone operator, and you need some trustworthy channel to exchange trust anchors at one point in time (a significant improvement compared to classic DNS, where you need a trustworthy channel all the time). -- Florian Weimer <[EMAIL PROTECTED]> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99