So... Hokay...

DNSSEC is a fine and useful BOS ... but there is this little nagging
problem that is bugging me. One of the lemas is that zones are signed, which
leaves the small problem of validating glue. others have argued that the
proper response is to insist on all glue be removed by excising all the
"out of baliwick" data - forcing servers to being the zone. nice idea, but
will take a -LONG- time to gain operational traction. So in the mean time,
we have signed zones w/ "orphaned" RRsets.

Is there any reason why we can't validate the NS records, perhaps
using the same general techniques as would be used for incremental signing?


to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.