On Thu, 09 Aug 2007 22:58:40 -0000, Paul Vixie said:
How does the (eventual) deployment of DNSSEC change these numbers?
DNSSEC cannot be signalled except in EDNS.
Right. Elsewhere in this thread, somebody discussed ugly patches to keep the packet size under 512. I dread to think how many different ways of "protecting" DNS are deployed that will break EDNS, and just haven't been noticed because there's little enough *actual* EDNS breakage that it's down in the noise of *other* "random voodoo" breakage at those sites.
And who's likely to feel *that* pain first?
the DNSSEC design seems to distribute pain very fairly.
I actually meant "which 800 pound gorilla is going to try this first and find all the bustifications", but your answer is good too.. :)