Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled

[Florian Weimer <fweimer at redhat dot com>]

On 02/23/2015 04:00 PM, Carlos O'Donell wrote:
> On 02/23/2015 05:21 AM, Florian Weimer wrote:
>>> In all of these cases the use of the DO-bit remains. No further RFC
>>> removes the use of the DO-bit from the client side protocol. None
>>> that I am aware of.
>>
>> The DO bit was introduced early because it was noticed that some clients
>> would choke on the unknown (to them) resource records sent along with
>> DNSSEC responses, so some mechanism was needed to suppress the record to
>> enable name resolution for those older implementations.
> 
> You wrote earlier in this thread that the DO bit is not related to DNSSEC.
> 
> I argue that it *is* related to DNSSEC, and continues to be related.
> 
> Am I wrong?

It was introduced to a specific failure case spotted with the first
installment of DNSSEC.

But the same bit was reused for the second installment of DNSSEC, which
was totally unrecognizable to implementations of the earlier DNSSEC
variant.  From their point of view, it could have been something else
entirely, they wouldn't know that it was still called DNSSEC.

DO is generally thought of as “DNSSEC supported”, so you are right, but
in practice, it just means, “you can send me properly formatted resource
records along with the answer which bear no relationship to the query,
and I will still pick out those records I'm interested in”.

-- 
Florian Weimer / Red Hat Product Security