On Oct 15, 2024, at 5:01 AM, Terry Manderson <terry@terrym.net> wrote:

Looking at DO bit query attributes on L.ROOT-SERVERS.NET <http://l.root-servers.net/> publicly available data, DO=1 is around the 130K queries per second, with DO=0 or no DO at around 30K queries per second. I don't agree with "2/3rds don't validate." I will agree that the graph seems stable - others with longer baseline visibility might be able to observe a trend.

DO=1 means “I can understand DNSSEC-related RRs”. It doesn’t mean a resolver actually does anything with those RRs. As far as I'm aware, the best statistics for actual DNSSEC validation is at https://stats.labs.apnic.net/dnssec.