Is there any way to set a DNSSec-always policy similar to how HSTS commands Web Browsers to always use HTTPS?
This would mitigate a DNSSec-strip attack (similar to SSLStrip)
I'm also unclear if this would apply to IPSec, where security is mandatory, however not sure if this requires DNSSec as a pre-requisite