Whoa, will DNSSEC prevent all DNS-level hijacking? OpenDNS has a DNS-level blacklist option (totally opt-in) which redirects to their own servers. Will that still be possible with DNSSEC?
As this amounts to A record forgery, yes DNSSEC clients will prevent this. There is really no technical difference between this practice and the poisoning that DNSSEC is defined to defeat.
Of course there are plenty of other ways to blacklist or redirect IPs - using routes, RBL subscriptions in software firewalls or through browsers like the google safe browsing subscriptions. DNSSEC won't be the place to do it, though.
OpenDNS has a whole bunch of other opt-out (per IP) features that depend on DNS-level hijacking.
By default they point NXDOMAIN to their own landing page, blacklist 'known phishing sites', and proxy some Google requests through their own servers to defeat clever browser address bars.
