[dns-operations] Mysteries of DNSSEC

Geoff Huston gih at apnic.net
Sat Mar 30 20:43:14 UTC 2024

> On 31 Mar 2024, at 5:36 AM, Joe Abley <jabley at strandkip.nl> wrote:
> On 30 Mar 2024, at 19:18, John Levine <johnl at taugh.com> wrote:
>> The first surprise I found is that once I turned it on, nearly every
>> query, like 99%, asks for DNSSEC. Is this typical or do I have an odd
>> set of clients?
> If you mean almost all queries had EDNS(0) and DO=1 then I think that's typical.

Across some billion queries gathered over 2 days last week I see 92% with the
EDNS DNSSEC OK (DO) bit set. The rate is lower in North America (84%) and 
higher in Europe (96%) and ASia (94%) so there is some variation across the DNS 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4162 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240330/970b9d40/attachment-0001.bin>

More information about the dns-operations mailing list