On Fri, Aug 16, 2019 at 04:53:23PM +1000, Viktor Dukhovni wrote: > Bottom line, only trust local resolvers you deploy, configure > *correctly* and test.
Well, it doesn't _have_ to be local. You could, for instance, be connected to a resolver that you know you can trust (FSVO "know" and "trust") over IPsec. I believe that was the use case originally for the AD bit, which otherwise is more or less useless for all the reasons you outline. (Your general point, of course, still stands.) A -- Andrew Sullivan a...@anvilwalrusden.com