Max Tulyev wrote:
We (NetAssist, Kiev, Ukraine) did it a year ago (RIPE backresolve, .se, .ru, .net, .com as well as ISC's DLV checking).
I think this is a great move. Have you had any feedback from your users?
In general, I don't believe in practical usage of this implementation, because of you can do a DNS attack on the client's resolver directly.
But I see significant decrease of spam after DNSSEC implementation. I believe it can happens because of wise spammers can't cheat backresolve and blacklists checks anymore.
How is the information about whether the RRsets are signed and/or validated, or not, getting back to the clients? IOW, if I'm a piece of anti-spam software, how do I know that the answer I received is signed and validated? I ask because IMO this is actually the more difficult part of DNSSEC deployment. We have the stuff to sign the zones, but figuring out how to use the signature data (or lack thereof) is a whole new kettle of fish. Doug -- If you're never wrong, you're not trying hard enough