> Nicholas Weaver <mailto:nwea...@icsi.berkeley.edu> > Thursday, November 06, 2014 7:55 AM > > > ... > > Short of setting deliberate viral brush fires designed to brick old > devices, we're stuck with them and need to plan around them.
BIND once had a 100% market share, and did a number of things wrong, which Win/NT's DNS implementation had to work around. rather than documenting the current behaviour and telling others to plan around it, we fixed BIND. similarly, many DNS servers are behind low-grade IP firewalls who pass udp/53 but not frags, thus keeping EDNS from working. so, every EDNS implementation has complicated fallback, and DNSSEC won't work on many data paths. nevertheless we call those firewalls "wrong" and keep trying to get DNSSEC (and therefore EDNS) working. so, there are cases where you have to plan for an extremely long tail, and other cases where you plan for a rapid transition. implementations who think NXDOMAIN is valid for empty-nonterminal nodes are known-broken, and they are on our short list to fix, and we're going to ignore them and let their operators feel the pain. -- Paul Vixie
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
