On Mon, 20 Feb 2006, Paul Vixie wrote:

> i think a security aware server should elide dnssec metadata unless
> DO is set, whereas we already know that a security-nonaware server
> will not do this and will never do this.
> we can hope that a security non-aware server will never see dnssec
> metadata but we know this isn't true either.

Following the same logic, should modern name servers strip out other
new record types, in hopes of protecting innocent (and broken)

As Mark points out, the general answer is "no" -- we're willing to let
a resolver that asks for ANY get unknown RR types and, if it can't
cope with the answer, we're willing to let it break. I don't see any
need to treat the DNSSEC records differently.

-- Sam

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.