On Tue, Oct 21, 2008 at 10:59:46AM -0400, Paul Wouters <paul@xelerance.com> wrote a message of 10 lines which said:
Why should these be in the DLV ?
Because, otherwise, how could I validate domains under ".br" and ".cz"? By trying to find a public key on their (https) Web site and adding it as a trust anchor? By exchanging PGP-signed email with Federico or Ondrej? This does not scale.
I'd rather see people configure their resolvers properly.
What is a proper configuration? My BIND has: dnssec-enable yes; dnssec-lookaside . trust-anchor dlv.isc.org.; dnssec-validation yes; include "/etc/bind/trust-anchors"; // A few DNSKEY for domains // I was able to check personnally Better suggestions are welcome.
Will this cause people who use properly configured resolvers to send DLV requests for those TLD's?
If "properly configured" is the configuration above, yes :-)