[dns-operations] EDSN0 fallback in the era of DNSSEC

David C Lawrence tale at akamai.com
Mon Apr 29 14:53:22 UTC 2013

Paul Hoffman writes:
> Retrying queries without EDNS0 seems sensible before deployment of DNSSEC.
> Is that still the case now that DNSSEC is more widely deployed? 

Yes, just not in this case.  We definitely still see broken setups
where the no-EDNS0 fallback is necessary to get an answer.

I agree with Bert in that if a domain indicates it needs DNSSEC, then
the resolver shouldn't send itself down a path where it can't get the
answers it needs.

More information about the dns-operations mailing list