In the year since that blog post, does anyone know of any OS vendors whose stub resolvers support TSIG? The key distribution issue is a barrier, but I would think that recursive DNS providers (like OpenDNS, Google, and others) would be interested in differentiating their services by providing this additional layer of protection.<p>One solution is to run a forwarding server on the customer's computer and use TSIG to secure its communication with the recursive service, but this won't work for every device in the household. I can't run a forwarding DNS server on my iPad and I wouldn't want all of the devices in my house to have to funnel their DNS through a single computer which could be off and break DNS.<p>Any ideas on how to solve this problem?