Hi David, That is a correct interpretation of the DO bit. I haven't looked at the APNIC stats, but will do so later ... However if that is the case, one would ask "WHY" are so many resolvers are asking for DNSSEC responses and doing nothing with them? Again, root cause analysis! If the result is just laziness, then any approach discussed without DNSSEC validation as a staple disenfranchises those that have gone to the effort to sign their zones. Cheers, Terry -- Mobile device, don't expect grammar.
On 15 Oct 2024, at 10:39 AM, David Conrad <david.conrad@layer9.tech> wrote:
Terry,
On Oct 15, 2024, at 5:01 AM, Terry Manderson <terry@terrym.net> wrote: Looking at DO bit query attributes on L.ROOT-SERVERS.NET <http://l.root-servers.net/> publicly available data, DO=1 is around the 130K queries per second, with DO=0 or no DO at around 30K queries per second. I don't agree with "2/3rds don't validate." I will agree that the graph seems stable - others with longer baseline visibility might be able to observe a trend.
DO=1 means “I can understand DNSSEC-related RRs”. It doesn’t mean a resolver actually does anything with those RRs. As far as I'm aware, the best statistics for actual DNSSEC validation is at https://stats.labs.apnic.net/dnssec.
Regards, -drc