I'm adopting/setting up DNSSEC on my domains for the first time, and curious about the practical benefits I can expect. In theory, regardless of whether client/stub resolvers want checking, recursive nameservers can request signature chains, and, for any domain where the higher-level delegating one indicates that there's supposed to be a signature, treat the absence of a valid signature as a hard lookup error to return to the client, thereby protecting domain owners against forged records. What portion of ISP and public (Google, Cloudflare, etc.) recursive nameservers currently do this? Is it common or uncommon?
↧