We (NetAssist, Kiev, Ukraine) did it a year ago (RIPE backresolve, .se, .ru, .net, .com as well as ISC's DLV checking). In general, I don't believe in practical usage of this implementation, because of you can do a DNS attack on the client's resolver directly. But I see significant decrease of spam after DNSSEC implementation. I believe it can happens because of wise spammers can't cheat backresolve and blacklists checks anymore. Lutz Donnerhacke wrote:
On Tue, Feb 13, 2007 at 04:18:37PM +0100, Patrik Fältström wrote:
On 13 feb 2007, at 15.45, Lutz Donnerhacke wrote:
What is so great about this message? That a large ISP turn on verification of DNSSEC signatures in their resolvers with the key of a TLD as anchor. That has not happened before as far as I know. If I am wrong, I would like to know.
I thought Cable and Wireless did this in December 2005.
-- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)