In your previous mail you wrote: Yes. I've just been told by a fairly authoritative source that BIND 9.5.1 (at least) sets the DO bit on by default, regardless of whether DNSSEC is configured. This would explain the high number of queries coming in with DO set. => as you know the DO bit means DNSSEC RRs are accepted, so an implementation which supports them should set the DO bit.
The implication of this implementation decision is that if the root is signed, folks using BIND 9.5.1 (at least) will be requesting DNSSEC => s/requesting/accepting/ regardless of whether the caching server operator has configured DNSSEC or is prepared to handle a DNSSEC-related response. => I agree only for the second (is prepared to handle). Note this is bound to EDNS0, without it no DO, IPv6, size negotiation, etc. P.S. Seems I need to revise 3225... => this was the intented side effect of 3225 so if you change you mind you know what to do (-:). Regards [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop