by kevinburkesf » Sun Feb 23, 2020 12:06 pm
DNSSEC has fallen out of favor recently. It's no longer a recommended standard for federal websites. It has not gained adoption in mainstream browsers. It's also a usability nightmare since you can't show anything to the user when resolution fails. This argument has been made in depth by eg. or

I was wondering if you would consider disabling DNSSEC on the DNS resolvers. This might simplify the configuration, and make those servers more robust.