> (see also: http://www.ietf.org/rfc/rfc5081.txt) or as a barely thought though proposal some X509 cert cryptographicly tied to a DNSSEC key of the domain. I'm assuming some aspect of DNSSEC keys can be under exclusive possession of domain controller else this can't apply. As I said - haven't though this through much. Daniel