> It's a module plug-in into bind and if you prefer to try and do this
> in a opt-in basis they have a client program that you download and
> it gets hooked into the users browser.
This is the right way to do it, end user opt in, and browser only.
i'm a little bit worried about the idea of doing this inside BIND, since
DNS is supposed to be coherent, and answers are supposed to be based on
fact rather than value. but the larger point of this reply is:
Unlaterally forcing it upon everyone and breaking non www based apps is
the wrong way to do it.
if you have well founded views on this topic and you have not yet shared
them with ICANN's SSAC, please do so. see <http://secsac.icann.org/>.
There is nothing I can say that hasn't already been said explicitly and
clearly and multiple times already.
I can only speak as a network engineer, and Verisign has already made it
abundantly clear they dismiss engineering views entirely, they see us as a
bunch of whiny anti-business geeks with no grip on reality.
Does SSAC have any authority over what Verisign does? If SSAC recommends
something contrary to Verisign's designs, what's stopping Verisign from
going ahead and doing it anyway? My questions to SSAC are not what they're
currently asking for input for (according to their page, they are only
looking for security and stability input at the moment).
If you know the proper ICANN committee for these questions, I'm all ears.