Personally RRSIG is worse for a implementer than ANY. I remember a time when there was a hope that you could do DNSSEC through a non DNSSEC aware server. RRSIG queries come from such a time. I would be happy to ban RRSIG queries.
That said banning RRSIG or ANY queries won't help with amplification issues. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
