On Jul 29, 2022, at 16:49, Paul Wouters <[email protected]> wrote: > Interesting history, > > I would have expected (and have taught) that this was by design to not > disrupt systems with new data unless we knew they were ready for it. I didn’t > realize we first tried to do it without that 😀
By the time we got to signing the root zone (surely much, much later than Ed's anecdote) there was some hope that we could deploy DNSSEC RRs into the root zone whenever we felt like it, since clients that didn't explicitly want DNSSEC RRs in their responses wouldn't set DO=1, there would be no RRSIGs etc in responses they received, and hence they would be immune from any unintended consequences. Of course by then DNSSEC had been well and truly implemented in the most deployed resolver implementations and it had become clear that such resolvers needed to set DO=1 on all upstream queries regardless of whether validation was turned on locally so that downstream validators could be supported. So in practice pretty much every query received by authoritative servers already had DO=1. The need to be careful remained and this led to the idea of the DURZ, so that the effect of large responses could be isolated and assessed independently of the need to validate signatures. I remember David Conrad in particular being very sad about the ubiquity of DO=1, more so even than he already was about DNSSEC in general. Or maybe DRC's sadness just seemed more pronounced because he had to deal with me as an employee. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
