> > dnssec requires edns. > > There are several setups out there limiting any EDNS query to 512 bytes. then those setups will preclude the use of dnssec. this isn't negotiable. anyone who breaks edns will break dnssec. anyone stuck in a place where edns doesn't work will have to tunnel dns over vpn.