Matthew, On Nov 4, 2009, at 1:45 PM, Matthew Dempsky wrote: > On Wed, Nov 4, 2009 at 12:04 PM, David Conrad <d...@virtualized.org> wrote: >> On Nov 4, 2009, at 11:41 AM, Matthew Dempsky wrote: >>> On Wed, Nov 4, 2009 at 11:26 AM, <bmann...@vacation.karoshi.com> wrote: >>>> The current deployment plan is to stage things to push out large >>>> responses >>>> early - prior to having any actual DNSSEC usable data ... ostensibly >>>> to >>>> flush out DNSmtu problems. >>> >>> Is this plan to push out large responses indiscriminately, or only in >>> response to queries with DO=1? >> >> We're not planning on breaking the DNS protocol. DNSSEC responses will only >> be provided if DO=1 (currently about 70% of the queries hitting the root >> have DO=1). > > I'd appreciate if someone could clarify what the "large responses" > that will preexist "actual DNSSEC usable data" that Bill Manning is > referring to are.
They are signed responses, but signed with a 'deliberately unvalidatable root key'. > It's unclear to me whether it's still technically > DNSSEC data and hence would require a client to send DO=1, Yes, it is DNSSEC data and will only be returned if DO=1. Clients that do not set DO=1 will not receive the DNSSEC responses. > or if it > will be something like large additional section TXT records or just > trailing bytes. No. Regards, -drc _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
