Debian to start deploying DNSSEC

It is expected that many end users will ask a recursive DNS server (perhaps one in their household DSL router, or at an ISP, or in a corporate data centre) to perform the DNSSEC checks on their behalf, at least initially. This protects them from poisoning of a distant cache or impersonation of the DNS servers for a particular domain which previously had the potential to send millions of users to a bogus web site or whatever with just one good exploit.

Obviously if you want to actually be sure you should do all your own checks, but this costs CPU (fine in a PC but not in some embedded devices) and requires that you stay up to date with changes to the root keys (for most Linux users these will presumably be distributed as package updates like the timezone file updates) once the root is signed for real this summer.