In message <20150305232806.GG1197@xxxxxxxxxxxxxxx>, Andrew Sullivan writes: > On Fri, Mar 06, 2015 at 08:48:27AM +1100, Mark Andrews wrote: > > required. Yes, there are servers that do DNSSEC but don't correctly > > handle DO (it is not echoed in the response). The current root > > servers are do not exibit this mis-behaviour. This however comes > > from requiring DNSSEC support not EDNS support. > > I would like to understand exactly what you mean by, "Do DNSSEC but > don't correctly handle DO." That sounds to me like the kind of do > DNSSEC, not that they do it properly. DNSSEC requires EDNS0, full > stop; therefore any additional text on the matter is unnecessary. To get the DNSSEC records added the the responses the server needs to be able to see the DO=1 bit. It does not need to properly handle unknown EDNS options. It does not need to properly handle unknown flags. It does not need to properly handle EDNS version != 0. It does not need fully handle DO by adding DO=1 to the response. I'm sure all the TLD operators listed in tld-report.html [1] with broken implementations think they are doing EDNS correctly. [1] http://users.isc.org/~marka/tld-report.html When only 65% of the world gets EDNS support right I don't think it unreasonable to make fully compliant EDNS support a requirement. > Moreover, see upthread the exchange between Bill Manning and John > Klensin. I think if we have a root server operator that starts > running some dodgy implementation of some name server code, the root > server operators are going to have a worse day of it than the IETF. I > think we should specify exactly what we need and no more. Since > DNSSEC entails EDNS0 support, we're done. > > Best regards, > > A > > -- > Andrew Sullivan > ajs@xxxxxxxxxxxxxxxxxx -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx