Interesting history, I would have expected (and have taught) that this was by design to not disrupt systems with new data unless we knew they were ready for it. I didn’t realize we first tried to do it without that 😀
Paul Sent using a virtual keyboard on a phone > On Jul 29, 2022, at 10:06, Edward Lewis <edward.le...@icann.org> wrote: > > On 7/29/22, 3:53 AM, "Petr Špaček" <pspa...@isc.org> wrote: >> By any chance, do you remember in what iteration the DO=1 in query was >> introduced? I wonder what sort of disruption was anticipated/feared. >> >> In hindsight is seems that DO=1 requirement for "new" behavior (like, >> say, adding RRSIG to delegations sent from the parent zone) could be >> enough. > > There was a specific incident, I don't recall the year, but it was in a later > iteration. > > DNSSEC's code development was carried out by a small contractor to the US > government, physically located in a farm-like setting about an hour's drive > from any city (providing a sense of isolation). With the company's > willingness to take on technical risk, DNSSEC had progressed to the point > where we decided to put it into production, signing our corporate zone. > > Everything seemed to be fine. No one was able to verify the signatures as > there were no trust anchor points set, but the records would be included in > responses. > > On the third(*) day, one of the principal investigators (project leads) > realized she hadn't been getting mail from the government contracting offices > (who were paying for DNSSEC and other projects). It seemed no other > principal investigator had received mail either. A call went to the > contracting offices, it was discovered that the government's name servers > were rejecting our DNSSEC-signed responses. The mail they needed to send us > was "dropping on the floor" at their end. > > All involved were highly sympathetic to the situation, so we initially rolled > back, mail resumed, and the DO bit was invented (and eventually documented in > https://www.rfc-editor.org/rfc/rfc3225.html). > > * Well, I recall "3" being the number of days. It was definitely between 1 > and 5... > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop