[dns-operations] Stop marking TLD's NS server as EDNS-incapable
David C Lawrence
tale at akamai.com
Mon Mar 6 15:50:20 UTC 2017
Shane Kerr writes:
> Ironically if the Great Firewall was smarter and only modified queries
> going to Facebook's actual name servers then there would be no
> problems. I suspect that the Chinese government is quite happy for
> these operational problems with DNSSEC to encourage operators to
> disable it.
Right, my original reaction to reading this line in Davey's original
post:
"It explains the low penetration of DNSSEC and complains on DNSSEC in
that region."
Well it might contribute to it, but personally I expect that it is the
mucking about with DNS answers that the Great Firewall does that is
the primary obstacle toward DNSSEC deployment in China.
Sure BIND could handle this case better, but Chinese users are still
going to have a lot of issues with DNSSEC.
More information about the dns-operations
mailing list