[dns-operations] Stop marking TLD's NS server as EDNS-incapable

David C Lawrence tale at akamai.com
Mon Mar 6 15:50:20 UTC 2017

Shane Kerr writes:
> Ironically if the Great Firewall was smarter and only modified queries
> going to Facebook's actual name servers then there would be no
> problems. I suspect that the Chinese government is quite happy for
> these operational problems with DNSSEC to encourage operators to
> disable it.

Right, my original reaction to reading this line in Davey's original

"It explains the low penetration of DNSSEC and complains on DNSSEC in
that region."

Well it might contribute to it, but personally I expect that it is the
mucking about with DNS answers that the Great Firewall does that is
the primary obstacle toward DNSSEC deployment in China.

Sure BIND could handle this case better, but Chinese users are still
going to have a lot of issues with DNSSEC.

More information about the dns-operations mailing list