# > i think a security aware server should elide dnssec metadata unless DO
# > is set, whereas we already know that a security-nonaware server will not
# > do this and will never do this.
# >
# > we can hope that a security non-aware server will never see dnssec
# > metadata but we know this isn't true either.
#
# Following the same logic, should modern name servers strip out other new
# record types, in hopes of protecting innocent (and broken) resolvers?

no. i was mistaken, but not about that. i thought there was a way to
signal dnssec awareness that wasn't DO=1. if there were, then i'd say
any requestor who could signal dnssec awareness and also signal that
dnssec metadata wasn't wanted, shouldn't get it, even on qtype=ANY.

# As Mark points out, the general answer is "no" -- we're willing to let a
# resolver that asks for ANY get unknown RR types and, if it can't cope with
# the answer, we're willing to let it break. I don't see any need to treat
# the DNSSEC records differently.

i wasn't worried about seeing something that wasn't understood, i was
looking to optimize message size and avoid truncation/fragmentation/tcp.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: