Thanks, Gord! The one thing of interest that I noted in the "DNS Check" (https://zonemaster.iis.se) for GTALUG.org was that our DNS hosting via Gandi has perhaps insufficient diversity. To wit, there are several warnings similar to "All nameservers in the delegation have IPv4 addresses in the same AS (29169)." I don't think we'd win much by adding an extra delegation separate from Gandi (e.g. - adding an extra nameserver elsewhere) in practice, given that we only have one server anyways. That would likely require we publish our DNS information in a more complex fashion, essentially duplicating all changes, and I think that would lead to the risk of us But it seems to me as though Gandi would be able to help their customers if they had one of their nameservers be located somewhere else than inside ASN 29169. FYI, Firefox complains about the Verisign verifier (https://dnssec-analyzer.verisignlabs.com/) being insecure due to using Symantec signatures. I wonder if we should consider setting up gtalug.org to use DNSSEC; that's a question to consider at an Ops meeting some time...