I'm going to assume these two proposals can be merged. The simple way to do this is to *always* add a OPT record that only contains this option to the end of the packet adjusting the additional section count. This OPT record is removed and the additional section count is adjusted prior to TSIG / SIG(0) verification.
When replying via the front end, you always add a OPT record to the end of the packet after TSIG / SIG(0) computation adjusting the additional section count. This is removed by the front end adjusting the additional section count. This allows for TSIG, SIG(0) and plain DNS to be handled gracefully. Any other options like destination address can be added to this OPT record. If people really object to two OPT records we can do a OPT clone. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
