* Michael Tokarev:
EDNS0 can be easily abused for traffic amplication purposes. 8-(
Root and TLD nameservers rarely have large answers to queries to exceed 512 bytes.
The miscreants have partial write access to most TLD zones, so they can create record sets whose size approaches or exceeds 512 bytes.
(And for those rare cases if they exists, TCP connection should be established to get a reply --
This seems to be Verisign's intent, and yet you still complain.
But this does not really matter. I repeat: One don't have to "support" EDNS0, just don't report it as error,
EDNS0-capable resolvers typically cache the information that another server doesn't support EDNS0. Returning FORMERR is compliant with RFC 2671.
like broken routers does with ECN.
IIRC, the complaint with respect to ECN was that some routers dropped packets *without* signaling an error.