On Sat, Mar 26, 2016 at 03:59:39PM -0400, Ólafur Guðmundsson wrote: > There are 3 possible outcomes when a DNS querier gets an aswer like this > #1 It accepts everything from authority section > #2 It tosses the non queried RRset > #3 it Rejects the answer and tries again
#4 it panics and you don't know that. There's no way to know whether #4 cases are out there, and nothing in any data you collect would tell the difference between 1 and 4. I think the chances are pretty low because of the experience with DNSSEC deployment, but at least there we were relying on the DO bit. What you're proposing is to change the protocol for people who don't even set DO. Surely that's risky? > For #2 that means convincing the software vendors to adopt more relaxed > approach No, it means making a protocol change to a well-established, long-deployed standard and _then_ getting people to adopt it, and doing so without any signals about the deployment. Please don't think I'm saying no: my employer feels this pain just as much as yours does, and I also am anxious to support ideas that move the state of the art ahead. But I cannot believe we are seriously talking about deploying stuff that changes a 30 year old connectionless protocol without any signal in the protocol that the change is ok for the involved players in each exchange. If that's really the sort of thing we're going to do, then we might as well just start uploading protocol definitions to github and tell people to try to track them. Best regards, A -- Andrew Sullivan a...@anvilwalrusden.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop