On Aug 19, 2008, at 2:09 PM, [EMAIL PROTECTED] wrote:
Peter Koch did provide an interesting
data point that warrants further investigation (20-35% of queries
having DO
bit on seems a bit high to me)
From my own limited investigations (less than 10 servers, but millions
of DNS queries thus hopefully somewhat statistically significant):
Authoritative servers: 35 - 45%
Recursive servers: In the noise (less than 0.5%)
which seems to indicate that there are quite a few recursive servers
out there that set the DO bit when querying authoritative servers.
Yes. I've just been told by a fairly authoritative source that BIND
9.5.1 (at least) sets the DO bit on by default, regardless of whether
DNSSEC is configured. This would explain the high number of queries
coming in with DO set.
The implication of this implementation decision is that if the root is
signed, folks using BIND 9.5.1 (at least) will be requesting DNSSEC
regardless of whether the caching server operator has configured
DNSSEC or is prepared to handle a DNSSEC-related response.
Food for thought.
Regards,
-drc
P.S. Seems I need to revise 3225...
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
