* Tony Finch: > Florian Weimer <[email protected]> wrote: >> >> > I have "dnssec-enable no;" in my bind config. >> >> It does not seem to have the intended effect. > > BIND's interpretation of the DO bit is "I understand DNSSEC RRs so > it is OK to send them" not "I would like you to send DNSSEC > RRs". This is why it always sets the DO bit when it can, i.e. when > the request contains an EDNS OPT pseudo-RR.
I would go even further---the DO bit is not about DNSSEC at all. The resolver just promises to ignore any ancillary record sets it does not understand. If DO were about DNSSEC, a new flag would have been introduced along with DNSSECbis, where the record types changed so that for resolvers implementing the older protocol, the DNSSECbis records just looked like garbage.
