Just to clarify, EDNS for DNSSEC is only a requirement for: 1) high performance DNSSEC operation, or 2) DNSSEC operation in case TCP/IP is not available.
In an understandable effort to "make the world safe for DNSSEC", BIND has been sending DNSSEC-enabled questions *by default* for a long time now ('do=1 queries'). The upshot of this default BIND DNSSEC behaviour is that any BIND user that cannot do EDNS will pretty soon have to fall back to TCP/IP a lot. And since TCP/IP is not always available for DNS, a significant percentage of BIND users may "go dark" if they can't do EDNS once the root is signed with DNSSEC records. However, since PowerDNS does not ask DNSSEC questions by default, this situation does not apply to PowerDNS users. More specifically, if you run the suggested tests that can help you determine if you "will have problems with the signed root" the results do NOT apply to PowerDNS, but only to BIND (and probably Unbound). Kind regards, Bert Hubert On Fri, Mar 19, 2010 at 08:13:42AM -0400, Curtis Maurand wrote: > Its my understanding that EDNS is going to be required to exchange > keys properly for DNSSEC. Am I wrong? Is EDNS going to be a > requirement in the future? > > Thanks in advance, > Curtis > > On 3/18/2010 8:40 PM, Michael Fincham wrote: > >Hi Bert, > > > >Thanks for the expedient and comprehensive reply. > > > >On Thu, 2010-03-18 at 06:45 +0100, bert hubert wrote: > >>The 'nothing but trouble' refers to the surprisingly large number of servers > >>that when queried with EDNS on, either provide no answer, return a SERVFAIL > >>or a malformed answer. > >> > >As it turns out, my testing has shown that at least one important > >NZ-based government website falls in to this category :( > > > > > >>I hope the above answers your questions. > >> > >Sure did, cheers. > > > > _______________________________________________ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > http://mailman.powerdns.com/mailman/listinfo/pdns-users > _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users