Steve, One can in fact apply the "end to end argument" here. As the source of the data is not the DNS but some user admin, then the records of a secure DNS should be signed by this admin, not the DNS server. This is exactly what is done for "certificates"... Christian Huitema