Re: Jessie release goal: DNSSEC as default recursive resolver
> So, as per the replies we've read, it seems that the only way to
> implement DNSSEC would be to first check if it works, and if it doesn't,
> fallback to the locally provided recursive DNS server.
I still think a switch on/off (whatever the default) should be
considered because if anyone decides to depend on the (limited) trust
but trust all the same that DNSSEC provides then the fact that it falls
back to an untrusted mechanism when it can be easily DOS'd may lead to a
false sense of security which is worse than no security.
'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
In Other Words - Don't design like polkit or systemd