On Jul 17, 2023, at 14:12, John R Levine <jo...@taugh.com> wrote: > > > In view of the wide use of DNSSEC and DoT and DoH, I think the argument that > triggering TCP is bad stopped being persuasive a while ago. (Don't we hope > people sign the DNS responses with the tokens?)
I’m sure there are still plenty of tools crafting dns packets or using simplistic tools that are not able to do TCP or DNSSEC. Yes we really hope they would use libbind or libunbound or Python-unbound, but in general it is still good if a response doesn’t require a resend using TCP. > The only somewhat plausible argument I see against stuffing the apex is that > if people are sloppy, they might invent tokens that could be confused with > each other. This is an important point and what got me involved with the draft. > But people have been putting tokens at the apex for years and I have never, > ever, heard of token confusion. It’s literally what happened to me in the first week of my current $dayjob. I found 5 tokens that no one knew what they were, whom they were for and whether or not they were still needed. A draft not triggering a retransmit is better than a draft commonly triggering a retransmit - even independent of this being TCP or UDP based check applications unaware of the TC bit because the writers weren’t DNS experts. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
