Doug Barton <do...@dougbarton.us> writes: > I have a guess at why ISC would want to enable it by default, and even in > the presence of an option to turn it off I'm still Ok with that default. > But if it's not a standards requirement to have it on, giving the admin a > choice would be a welcome thing.
this was, as you pointed out, a controversial decision. BIND implements the "DO" bit as "this requestor will not vomit or crash if you include DNSSEC metadata in the response". we believe that this supports the eventual goal of near-universal DNSSEC deployment, in which it's foolish to treat "DO" as "this requestor is explicitly interested in DNSSEC metadata on this answer". the earlier we face the UDP fragmentation pain, the smaller that pain will have been by the time we overcome it. same thing for validator bugs, zone signing/resigning errors/expirations, and everything else that makes "always set DO" seem unattractive today, to today's sysadmins, who aren't involved in any DNSSEC deployment crusade and don't appreciate being co-opted for it. unless a new IETF RFC comes along and disambiguates the meaning of "DO" such that it's only to be set if the requestor thinks it has a reasonable shot at validating the resulting metadata, i expect BIND to keep setting "DO" on all EDNS requests it generates. and i don't think you can make a _public benefit_ argument that this is wrong even though there are _private benefit_ arguments. -- Paul Vixie KI6YSY _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
