Fujiwara-san, Thank you for. that! I don't see that stub resolvers are capable of DNSSEC validation at this point, or even the desired location from "conservation of processing" point of view, but that might be just me.. Has there been any studies done to analyse the number of resolvers taking to the RSS (with query volumes) that do or do not ask for DNSKEY?? (google scholar didn't find anything of note) Would that not be the categorical definition of DNSSEC validation? Especially in regards to the root server system? Cheers, Terry -- Mobile device, don't expect grammar.
On 15 Oct 2024, at 1:55 PM, Kazunori Fujiwara <fujiwara@jprs.co.jp> wrote:
From: Paul Ebersman via rssac-caucus <rssac-caucus@icann.org> terry> That is a correct interpretation of the DO bit. I haven't looked terry> at the APNIC stats, but will do so later ... However if that is terry> the case, one would ask "WHY" are so many resolvers are asking terry> for DNSSEC responses and doing nothing with them? Again, root terry> cause analysis!
stub OS resolvers like microsoft have been setting DO bit for decades and the resolvers above them pass that on. doesn't mean they use the signatures, etc.
My windows clinet does not set DO bit.
Full service resolvers like BIND 9, Unbound, Knot Resolvers, etc have been setting DO bit to pass RRSIGs to stub validators when they do not validate.
RFC 4033 and RFC 4035 defines Security-Aware resolvers (that know DNSSEC) MUST set DO bit when sending requests. (even if they don't validate)
See: RFC 4035 Section 3.2.1, RFC 4033 Section 2
If we want to know the DNSSEC validation of full-service resolvers from the root servers side, we can look at the number of IP addresses that sends "." DNSKEY queries to.
-- Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>