>>>>> "Jeff" == Jeff Stevens writes:

Jeff> It is not obvious to me that DNSSEC needs EDNS as there is
Jeff> no mention of EDNS in the DNSSEC RFC2535. Is there some
Jeff> reason the EDNS feature gets used by calling out the +dnssec
Jeff> option?

The +dnssec option to dig tells it to set the DO (DNSSEC OK) bit which
is in the EDNS0 OPT header. The DO bit is used to tell a server that
the client is DNSSEC-aware and, by implication, is willing to receive
DNSSEC RRtypes. RFC3225 -- Indicating Resolver Support of DNSSEC --
documents this.

DNSSEC-signed responses are *much* bigger than conventional DNS
replies because of the extra (and large) RR types that get returned:
RRSIGs, NSECs, DNSKEYs. These records and their associated data mean
the 512 byte limit on "normal" UDP replies is easily exceeded. So
rather than send truncated responses which result in retried queries
over TCP, it's best to use EDNS0. Clients can then tell the server
that they're able and willing to accept UDP replies bigger than 512
bytes. This is a Big Win for everyone. Most, if not all, clients that
are DNSSEC-aware will support EDNS0 anyway.