* Tony Finch:
Florian Weimer <fw@deneb.enyo.de> wrote:
I have "dnssec-enable no;" in my bind config.
It does not seem to have the intended effect.
BIND's interpretation of the DO bit is "I understand DNSSEC RRs so it is OK to send them" not "I would like you to send DNSSEC RRs". This is why it always sets the DO bit when it can, i.e. when the request contains an EDNS OPT pseudo-RR.
I would go even further---the DO bit is not about DNSSEC at all. The resolver just promises to ignore any ancillary record sets it does not understand. If DO were about DNSSEC, a new flag would have been introduced along with DNSSECbis, where the record types changed so that for resolvers implementing the older protocol, the DNSSECbis records just looked like garbage.