On Fri, Mar 06, 2015 at 10:57:42AM +1100, Mark Andrews wrote: > > To get the DNSSEC records added the the responses the server needs > to be able to see the DO=1 bit. Last I checked, the draft was a requirements document, not an enforcement checklist for the heretofore missing Protocol Police Force. If you could point to a piece of the relevant RFCs that make partial EDNS support or something like that acceptable to make DNSSEC work, then I think you'd have an argument. So far, you have not offered such an argument. > I'm sure all the TLD operators listed in tld-report.html [1] with > broken implementations think they are doing EDNS correctly. The draft before us has absolutely nothing to do with TLD operations. As you've pointed out repeatedly, you have written some drafts on the topic of not being foolish when operating DNS servers. I'm sure the IETF will, in due course, give those drafts the attention they deserve. In the interim, however, I don't see how all those other levels of the DNS are entirely relevant to the present discussion, and I think we ought to stick to this topic. You have not made an argument that is specifically relevant to the root and that addresses the formal dependence of DNSSEC on EDNS. Therefore, I believe your suggested changes should not be incorporated. Best regards, A -- Andrew Sullivan ajs@xxxxxxxxxxxxxxxxxx