On 30/03/2017 16:48, Mark Andrews wrote: > > I'm going to assume these two proposals can be merged. > > The simple way to do this is to *always* add a OPT record that only > contains this option to the end of the packet adjusting the additional > section count. This OPT record is removed and the additional section > count is adjusted prior to TSIG / SIG(0) verification. > > When replying via the front end, you always add a OPT record to the > end of the packet after TSIG / SIG(0) computation adjusting the > additional section count. This is removed by the front end adjusting > the additional section count. > > This allows for TSIG, SIG(0) and plain DNS to be handled gracefully. > Any other options like destination address can be added to this OPT > record. > > If people really object to two OPT records we can do a OPT clone.
Interesting, although I'd be curious how we'd avoid and/or change the rules for TSIG that say it MUST always come last in the packet. Ray _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
