# Also: the DO bit was introduced to protect "innocent" resolvers from
# DNSSEC RRs they might not expect or understand.
#
# Opinions?

i think a security aware server should elide dnssec metadata unless DO is set,
whereas we already know that a security-nonaware server will not do this and
will never do this.

we can hope that a security non-aware server will never see dnssec metadata
but we know this isn't true either.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: