On Sat, Apr 21, 2018 at 03:57:26AM +0300, Tapio Sokura <tapio.sokura@iki.fi> wrote a message of 9 lines which said:

Has there been thoughts about making the probes do dnssec resolver statistics gathering? I.e. how many / which probes are configured with dns resolvers that do / don't do dnssec validation?

It would be a cool system tag (although there are some issues, such as probes with two resolvers, one validating and not the other). In the mean time, you can measure: % blaeu-resolve --displayvalidation -4 --requested 2000 atlas.ripe.net Measurement #12283537 for atlas.ripe.net/AAAA uses 1999 probes ... [ (Authentic Data flag) 2001:67c:2e8:22::c100:69e] : 821 occurrences [2001:67c:2e8:22::c100:69e] : 1071 occurrences [ERROR: FORMERR] : 7 occurrences [TIMEOUT(S)] : 19 occurrences [] : 1 occurrences [ (Authentic Data flag) (TRUNCATED May have to use --ednssize) 2001:67c:2e8:22::c100:69e] : 2 occurrences [ERROR: SERVFAIL] : 1 occurrences Test #12283537 done at 2018-04-23T10:45:48Z Basically, a small half of the probes used in this test have a validating resolver. "Truncated" messages are bugs somewhere. Some resolvers are probably buggy and do not like the DO bit, triggering FORMERR. If you ask only IPv6 probes, you have a better result: % ./blaeu-resolve --displayvalidation --requested 2000 atlas.ripe.net [ (Authentic Data flag) 2001:67c:2e8:22::c100:69e] : 1049 occurrences [2001:67c:2e8:22::c100:69e] : 839 occurrences [TIMEOUT(S)] : 14 occurrences [ (Authentic Data flag) (TRUNCATED May have to use --ednssize) ] : 1 occurrences [ (Authentic Data flag) (TRUNCATED May have to use --ednssize) 2001:67c:2e8:22::c100:69e] : 1 occurrences [ (TRUNCATED May have to use --ednssize) 2001:67c:2e8:22::c100:69e] : 1 occurrences [ERROR: FORMERR] : 6 occurrences Test #12283509 done at 2018-04-23T10:34:34Z Which makes sense, networks with IPv6 are probably "geekier".