trouble with .gov dns?

David Conrad drc at
Tue May 3 14:23:56 UTC 2011

On May 2, 2011, at 10:19 PM, Florian Weimer wrote:
> I would go even further---the DO bit is not about DNSSEC at all.

Err, yes it is.

> The
> resolver just promises to ignore any ancillary record sets it does not
> understand.

How people implement RFC 3225 does differ from the intent of the author, however I would be surprised if this is what DO is taken to mean in any resolver.

> If DO were about DNSSEC, a new flag would have been
> introduced along with DNSSECbis, where the record types changed so
> that for resolvers implementing the older protocol, the DNSSECbis
> records just looked like garbage.

You're suggesting RFC 3225 should have predicted DNSSECbis?  Would it help if the interpretation of DO is that indicates the resolver supports "DNSSEC as defined at the time"?

This probably isn't the right venue for this discussion.


More information about the NANOG mailing list