On 15 Jan 2010, at 13:20, Florian Weimer wrote:
DO is rather pointless because the priming response cannot be validated anyway (even if ROOT-SERVERS.NET were secure, which is currently not planned).
It's not pointless. Validating the priming response requires two operations. The first of these is checking the signature over the root zone's NS RRset. Which won't be returned unless the DO bit is set. [Let's avoid the rat-hole of a DNSSEC-aware resolver iteratively querying for DNSKEYs, RRSIGs and so on.] The second operation involves validating the address records in root-servers.net. Which will also be most efficiently done by setting the DO bit on those queries.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
