On 7/29/22, 3:53 AM, "Petr Špaček" <pspa...@isc.org> wrote: > By any chance, do you remember in what iteration the DO=1 in query was > introduced? I wonder what sort of disruption was anticipated/feared. > > In hindsight is seems that DO=1 requirement for "new" behavior (like, > say, adding RRSIG to delegations sent from the parent zone) could be > enough.
There was a specific incident, I don't recall the year, but it was in a later iteration. DNSSEC's code development was carried out by a small contractor to the US government, physically located in a farm-like setting about an hour's drive from any city (providing a sense of isolation). With the company's willingness to take on technical risk, DNSSEC had progressed to the point where we decided to put it into production, signing our corporate zone. Everything seemed to be fine. No one was able to verify the signatures as there were no trust anchor points set, but the records would be included in responses. On the third(*) day, one of the principal investigators (project leads) realized she hadn't been getting mail from the government contracting offices (who were paying for DNSSEC and other projects). It seemed no other principal investigator had received mail either. A call went to the contracting offices, it was discovered that the government's name servers were rejecting our DNSSEC-signed responses. The mail they needed to send us was "dropping on the floor" at their end. All involved were highly sympathetic to the situation, so we initially rolled back, mail resumed, and the DO bit was invented (and eventually documented in https://www.rfc-editor.org/rfc/rfc3225.html). * Well, I recall "3" being the number of days. It was definitely between 1 and 5... _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
