From: Paul Ebersman via rssac-caucus <rssac-caucus@icann.org> terry> That is a correct interpretation of the DO bit. I haven't looked terry> at the APNIC stats, but will do so later ... However if that is terry> the case, one would ask "WHY" are so many resolvers are asking terry> for DNSSEC responses and doing nothing with them? Again, root terry> cause analysis!
stub OS resolvers like microsoft have been setting DO bit for decades and the resolvers above them pass that on. doesn't mean they use the signatures, etc.
My windows clinet does not set DO bit. Full service resolvers like BIND 9, Unbound, Knot Resolvers, etc have been setting DO bit to pass RRSIGs to stub validators when they do not validate. RFC 4033 and RFC 4035 defines Security-Aware resolvers (that know DNSSEC) MUST set DO bit when sending requests. (even if they don't validate) See: RFC 4035 Section 3.2.1, RFC 4033 Section 2 If we want to know the DNSSEC validation of full-service resolvers from the root servers side, we can look at the number of IP addresses that sends "." DNSKEY queries to. -- Kazunori Fujiwara, JPRS <fujiwara@jprs.co.jp>