> Mark Andrews wrote:
>
> > RFC 4035 requires the upstream cache to be RFC 4035 aware.
>
> Thanks. As examplified by assumptions of RFC3225, that's a so
> unrealistic requirement that no further discussion on DNSSEC
> is necessary. PERIOD.
Given just about anyone can configure a validator to talk
directly to authoritative servers or can configure it to
talk to a cache which *is* DNSSEC aware which in turn talks
to the authoritative servers directly, I'm not worried about
those that *choose* to use a forwarder which is not DNSSEC
aware.
In other words just about anyone that wants to use DNSSEC
can put themselves in a position to use DNSSEC. The tools
are available to do it.
We know there is unlikely to ever be universal deployment
of DNSSEC. The fact that it is not universal however should
not be seen as a reason not to deploy it where it can be
deployed.
> > And lack of TCP support will also break PODS responses as well.
> > Authoritative servers can sometimes get away with disabling TCP.
> > Stub and caches have never been able to get away with disabling
> > TCP.
>
> In theory, yes, in practice, only those who supply large RRs
> requiring TCP (or EDNS) will suffer.
Well we are there now. Lots of answers require EDNS and/or
TCP and the DNS resolution has not fallen over.
> Masataka Ohta
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
