The path a particular resolution takes can be arbitrarily complex due to forwarders and other eyebrow-raising operational choices. In order for DNSSEC-related RRs to get from the authoritative to the validator, every resolver-like thing in the path must signal it won’t drop DNSSEC RRs (or explode in flames on seeing an RR it didn’t understand — RFC 3225 is old and before it was implemented, there were resolver implementations that behaved poorly when they saw DNSSEC RRs). As a result, pretty much every modern resolver (or resolver-like thing) that implements DNSSEC sets DO=1, even it never actually validates.

On Tue, Oct 15, 2024, at 8:44 AM, Terry Manderson wrote:

That is a correct interpretation of the DO bit. I haven't looked at the APNIC stats, but will do so later ... However if that is the case, one would ask "WHY" are so many resolvers are asking for DNSSEC responses and doing nothing with them? Again, root cause analysis!

If the result is just laziness, then any approach discussed without DNSSEC validation as a staple disenfranchises those that have gone to the effort to sign their zones.

Cheers,

Terry

Mobile device, don't expect grammar.

On 15 Oct 2024, at 10:39 AM, David Conrad <david.conrad@layer9.tech> wrote:

Terry,

On Oct 15, 2024, at 5:01 AM, Terry Manderson <terry@terrym.net> wrote:
Looking at DO bit query attributes on L.ROOT-SERVERS.NET <http://l.root-servers.net/> publicly available data, DO=1 is around the 130K queries per second, with DO=0 or no DO at around 30K queries per second. I don't agree with "2/3rds don't validate." I will agree that the graph seems stable - others with longer baseline visibility might be able to observe a trend.

DO=1 means “I can understand DNSSEC-related RRs”. It doesn’t mean a resolver actually does anything with those RRs. As far as I'm aware, the best statistics for actual DNSSEC validation is at https://stats.labs.apnic.net/dnssec.

Regards,
-drc