wait… is RFC 2870bis for TLDS or the roots? (I’ll note that conflation of roots and tlds was part of the problem with RFC 2870…) /bill PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 5March2015Thursday, at 15:57, Mark Andrews <marka@xxxxxxx> wrote: > > In message <20150305232806.GG1197@xxxxxxxxxxxxxxx>, Andrew Sullivan writes: >> On Fri, Mar 06, 2015 at 08:48:27AM +1100, Mark Andrews wrote: >>> required. Yes, there are servers that do DNSSEC but don't correctly >>> handle DO (it is not echoed in the response). The current root >>> servers are do not exibit this mis-behaviour. This however comes >>> from requiring DNSSEC support not EDNS support. >> >> I would like to understand exactly what you mean by, "Do DNSSEC but >> don't correctly handle DO." That sounds to me like the kind of do >> DNSSEC, not that they do it properly. DNSSEC requires EDNS0, full >> stop; therefore any additional text on the matter is unnecessary. > > To get the DNSSEC records added the the responses the server needs > to be able to see the DO=1 bit. It does not need to properly handle > unknown EDNS options. It does not need to properly handle unknown > flags. It does not need to properly handle EDNS version != 0. It > does not need fully handle DO by adding DO=1 to the response. > > I'm sure all the TLD operators listed in tld-report.html [1] with > broken implementations think they are doing EDNS correctly. > > [1] http://users.isc.org/~marka/tld-report.html > > When only 65% of the world gets EDNS support right I don't think it > unreasonable to make fully compliant EDNS support a requirement. > >> Moreover, see upthread the exchange between Bill Manning and John >> Klensin. I think if we have a root server operator that starts >> running some dodgy implementation of some name server code, the root >> server operators are going to have a worse day of it than the IETF. I >> think we should specify exactly what we need and no more. Since >> DNSSEC entails EDNS0 support, we're done. >> >> Best regards, >> >> A >> >> -- >> Andrew Sullivan >> ajs@xxxxxxxxxxxxxxxxxx > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx >