On Fri, Mar 06, 2015 at 08:48:27AM +1100, Mark Andrews wrote:
required. Yes, there are servers that do DNSSEC but don't correctly
handle DO (it is not echoed in the response). The current root
servers are do not exibit this mis-behaviour. This however comes
from requiring DNSSEC support not EDNS support.
I would like to understand exactly what you mean by, "Do DNSSEC but
don't correctly handle DO." That sounds to me like the kind of do
DNSSEC, not that they do it properly. DNSSEC requires EDNS0, full
stop; therefore any additional text on the matter is unnecessary.
Moreover, see upthread the exchange between Bill Manning and John
Klensin. I think if we have a root server operator that starts
running some dodgy implementation of some name server code, the root
server operators are going to have a worse day of it than the IETF. I
think we should specify exactly what we need and no more. Since
DNSSEC entails EDNS0 support, we're done.
Best regards,
A
--
Andrew Sullivan
ajs(_at_)anvilwalrusden(_dot_)com