On Fri, Apr 11, 2014 at 18:44:21 -0400,
Paul Wouters <paul(a)nohats.ca> wrote:
First, TTLs you receive from a forwarder can always be manipulated, even
with DNSSEC - otherwise caching wouldn't work.
Second, I still don't understand the point. Are you suggesting it is
better to believe all DNS lies than to not know where the lies lead?
Not better. That DNSSEC doesn't really solve everythin one might
want it to. And hence one might want to avoid ISPs' DNS services
in some cases.