On Wed, Apr 25, 2012 at 11:15 AM, Andrew Sullivan <ajs@xxxxxxxxxxxxxxxxxx> wrote: > On Wed, Apr 25, 2012 at 09:52:39AM -0400, Phillip Hallam-Baker wrote: > >> dependency on the DNSSEC trust chain despite the easily observed fact >> that less than 97% of DNS resolvers will pass anything other than >> A/AAAA and CNAME records. > > I'm having a hard time understanding that sentence. Could you > clarify, please: > > A. Fewer than 97% of DNS resolvers can pass anything other than > A/AAAA and CNAME, which means something more than 3% of resolvers pass > only A/AAAA and CNAME. > > This is what I _think_ you mean, which means that n% > broken > resolvers > 3%, right? If so, I'd like a citation, though it > doesn't sound wrong to me. That we'd have something on the order > of 3% of the software deployed everywhere on the Internet be > broken ought to be completely unsurprising. That was what two independent studies that were input to the CABForum revocation Workshop found. One was by Comodo, the other I am not sure what the citability status would be. The Comodo study was obtained by hooking the OCSP validation call in a very large number of browsers for over a week. I will see if it could be submitted as a draft as such studies can be useful. > B. 97% of the DNS resolvers is the most that has ever been observed > working according to specification, and the number may be much lower. > > This is the rhetorical point I think might be read in. In this > case, I think a citation is in order. Unfortunately this is also the case since we were merely looking for support for TXT records. So I would expect to see an even higher rate of stripping for DNSSEC records. -- Website: http://hallambaker.com/