[growse]

It feels like enabling DNSSEC on any zone is inviting a bunch of fun service risks and unexpected failures.

Is my clock more likely to be accurate after NTP.org got signed? It looks like it's less likely, on average.