This is a discussion on Re: DNSSECbis clarifications: QTYPE ANY & "DNSSEC RRSets" - DNS ; # > i think a security aware server should elide dnssec metadata unless DO # > is set, whereas we already know that a security-nonaware server will not # > do this and will never do this. # > # ...
# > i think a security aware server should elide dnssec metadata unless DO
# > is set, whereas we already know that a security-nonaware server will not
# > do this and will never do this.
# > we can hope that a security non-aware server will never see dnssec
# > metadata but we know this isn't true either.
# Following the same logic, should modern name servers strip out other new
# record types, in hopes of protecting innocent (and broken) resolvers?
no. i was mistaken, but not about that. i thought there was a way to
signal dnssec awareness that wasn't DO=1. if there were, then i'd say
any requestor who could signal dnssec awareness and also signal that
dnssec metadata wasn't wanted, shouldn't get it, even on qtype=ANY.
# As Mark points out, the general answer is "no" -- we're willing to let a
# resolver that asks for ANY get unknown RR types and, if it can't cope with
# the answer, we're willing to let it break. I don't see any need to treat
# the DNSSEC records differently.
i wasn't worried about seeing something that wasn't understood, i was
looking to optimize message size and avoid truncation/fragmentation/tcp.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.