[dns-operations] All dual-stack DNS servers - any problem with it?

[Paul Vixie]

> You can see, that the additional section is not signed, with renders the
> provided glue almost useless: we have to requery the glue from the root
> server, but do not get it signed!

no, you do not have to requery anything.  read the rfc's.

> All we can get is a signed DS-record, and have to check the trust chain
> ourself.

yes.

> If we limit the DNS size to 512 bytes, the results are frustrating: Every
> possible response is truncated, because the RRSIG is too long.

dnssec requires edns.