[ksk-rollover] resolvers with KSK-2010 only working as forwarders

Hello, here is one more wild guess/attempt to explain KSK-2010 only resolvers: Some of resolvers which RFC8145-report having only KSK-2010 [1] might be used as forwarders in some larger DNS caching topology, e.g. inside a company networks. Recent versions of Knot Resolver and I believe also Unbound set CD (Checking Disabled) bit when forwarding queries to another resolver, so intermediary resolver with KSK-2010 only would not cause resolution failure on these "leaf" resolvers. I seriously doubt this can explain all of KSK-2010 only resolvers but it might be a contributing factor. [1] http://root-trust-anchor-reports.research.icann.org/ -- Petr Špaček @ CZ.NIC