> From: Dean Anderson [mailto:dean@xxxxxxx] > It is not DNSSEC that is broken. Anycast has been deployed for four years. Any change to the DNS infrastructure that is incompatible with use of anycast is not acceptable and will not be deployed. Anycast significantly improves the response time and the robustness of DNS operations and allows operations to be made more scalable and run more economically. Core DNS is subject to continuous DDoS attacks. Without anycast there is a possibility that at some point in the future it might not be possible to support the bandwidth needed to defeat these attacks. The DNS has operated successfully without DNSSEC up to this point. The onus is always on those proposing a change to work within the deployed infrastructure. The DNSSEC spec makes several proposals that appear to address the packet fragmentation issue. If you think these are inadequate you should explain why. Phill _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf