DO says that you *understand* DNSSEC and that it is ok to send a DNSSEC response. It does not mean that you will be validating the response.
named in all production versions of BIND 9 (9.1.0 onwards) has set DO on all EDNS queries. BIND 9.1.1 onwards named copies DO to the response. BIND 8 does EDNS w/o setting or examining D0. What this says is that over half the world is in a position to turn on DNSSEC validation today if they want to. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop