>> DO necessarily implies UD because the synthesized CNAME is not signed
>> and thus not visible to a DNSSEC client (section 3.1).
>
> DO indicates that you want the DNSSEC records.
DO was originally conceived as "intent to validate". It's not used
this way, though.
> UD indicates that you don't want the synthesised CNAME.
>
> There are cases where you don't want DO to imply UD.
> Think humans reading the output.
If UD is debugging-only, I don't think it's worth the effort.
--=20
Florian Weimer <fwe...@bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstra=DFe 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
--
to unsubscribe send a message to namedroppe...@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
DO was designed to address two issues:
- Protect DNSSEC-ignorant resolvers that failed when they saw
"unknown" RR types.
- Keep answers smaller for DNSSEC ignorant queriers.
When DO was proposed, someone observed "DNSSEC is only for consenting adults"
> > UD indicates that you don't want the synthesised CNAME.
> >
> > There are cases where you don't want DO to imply UD.
> > Think humans reading the output.
>
>If UD is debugging-only, I don't think it's worth the effort.
UD is an exit plan from "synthesize CNAME forever" as the old exit plan
"new version of EDNS" is not on the horizon.
There are actively maintained non-DNSSEC DNAME-aware resolvers
out there and these resolvers can send queries with DO=0 and UD=1.
One of the objections from for placing DNAME records
in the root zone was the "CNAME synthesis overhead".
Olafur
No, "DO indicates that you want the DNSSEC records" is accurate.
We (= the group that cobbled DNSSEC into BIND 8) stood up a name
server before the DO bit was invented. After not hearing from the
government agency that was funding the work on DNSSEC for a few days
we realized that something was amiss. It turned out that we were
responding to A record requests with responses enlarged by the DNSSEC
records and the funding agency's firewalls were rejecting all traffic
to port 53 over a certain size. This "eating our own dogfood"
experience led to the DO bit.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Never confuse activity with progress. Activity pays more.
it was a fine way to reduce email traffic. :)
and shows the wisdom of actually "eating our own
dog food".
--bill