* Mark Andrews: > The DNSSEC testing is also insufficient. 9-11commission.gov shows > green for example but if you use DNS COOKIES (which BIND 9.10.4 and > BIND 9.11.0 do) then servers barf and return BADVERS and validation > fails. QWEST you have been informed of this already. > > Why the hell should validating resolver have to work around the > crap you guys are using?
The protocol doesn't have proper version negotation, and again and again, implementers have tried to force backwards-incompatible implementations on the Internet at large.