On Fri, Mar 06, 2015 at 08:48:27AM +1100, Mark Andrews wrote: > required. Yes, there are servers that do DNSSEC but don't correctly > handle DO (it is not echoed in the response). The current root > servers are do not exibit this mis-behaviour. This however comes > from requiring DNSSEC support not EDNS support. I would like to understand exactly what you mean by, "Do DNSSEC but don't correctly handle DO." That sounds to me like the kind of do DNSSEC, not that they do it properly. DNSSEC requires EDNS0, full stop; therefore any additional text on the matter is unnecessary. Moreover, see upthread the exchange between Bill Manning and John Klensin. I think if we have a root server operator that starts running some dodgy implementation of some name server code, the root server operators are going to have a worse day of it than the IETF. I think we should specify exactly what we need and no more. Since DNSSEC entails EDNS0 support, we're done. Best regards, A -- Andrew Sullivan ajs@xxxxxxxxxxxxxxxxxx