On Mar 20, 2010, at 1:50 AM, George Barwood wrote: >> Enshrining "tho shalt never fragment" into the Internet Architecture is >> dangerous, and will cause far MORE problems. Having something which >> >regularly exercises fragmentation as critical to the infrastructure and we >> wouldn't have this problem where 10% of the resolvers are broken WRT >> >fragmentation. > > I'm not suggesting that. If the higher level protocol has definite security > checks, or security is not important, > fragmentation is ok. But for DNSSEC neither of these is true.
Then what you're arguing here is don't request stuff with DO unless you are willing to validate. Given the exercise of DO requesting is done (the firewalls have figured it out), drop DO on unvalidated traffic, don't drop fragmentation. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop