Francis,
On Aug 21, 2008, at 8:42 AM, Francis Dupont wrote:
it seems the three problems are more from EDNS0 than from
the DO=1 (and without EDNSO there is no DO bit :-) so DO is not
the real source of the problems, it is EDNS0 and how it can be
badly handled by not-compliant middle boxes & co.
Yes and no.
Yes: if the root is signed, the existence of DO=1 in a request will
trigger a response from the root that is substantively larger than if
DO=0 (actual size difference obviously depends on a variety of factors
that have not yet been determined). I'd agree this is mostly and EDNS0
thing.
No: a DO=1 response will also contain different stuff (DNSSEC-related
RRs). Didn't mention this in my previous message, but it is may also
be a consideration.
It would've been nice to limit the impact of signing the root to only
those folks who had explicitly configured that they care about the
root being signed, but that's not what was implemented.
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
