* Paul Vixie: > since time is short, i would prefer a server-side change, supported by a > spec change (which means this would head back to namedroppers@) whereby > (bufsize<1220 && DO=1) would be treated as (DO=0).
And what does the resolver with a trust anchor do with the DO=0 answer? Requery immediately because it assumes there's an attack? If you want to punish those non-compliant resolvers, you must not answer at all, hoping that the resolver timeout will calm things down. Obviously, you should play such tricks only on a separate set of root server addresses/names. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop