On Thu, Mar 24, 2016 at 7:10 AM, Florian Weimer <fwei...@redhat.com> wrote: > DO was used initially for SIG and kept for RRSIG. For an early DNSSEC > implementation, RRSIG was just another unsolicited RR type because it > could only know about SIG. This suggests (to me at least) that > practically speaking, DO isn't strongly tied to DNSSEC. > > Florian
Very strong +1. The % of incoming query with DO set is far, far higher than the % of incoming query seen at authority who subsequently ask for DS/DNSKEY at zone and parent. There is a good, strong indication that resolvers pass DO as a compile/run flag of capability to handle additional records in response, not as an indication of intent to perform any function using them. (this is with fresh unseen domains, where there is no opportunistic cache of the DNSKEY or DS, so the absence of a fetch of them is a very good indicator there was no intent to try and use the RRSIG sent back as a result of DO being sent in query) -G _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
