On Wed, Sep 09, 2009 at 03:38:56PM +0200, Ond?ej Surý <ondrej at sury.org> wrote a message of 41 lines which said: > I would rather say that .PR is at fault here. I remember that they had expired signatures in the zone at a time. But my point is not here: sure, some TLD perform better than others. But, with regular DNS, you have to work really hard to completely break the resolution process. With DNSSEC, it is the opposite, you have to be very good to make things work. Activating DNSSEC validation mean switching from "it will work most of the time" to "it will work only when everything is OK". I'm not sure that many people are ready to go this way.