[atlas] dnssec validating system tag?

On Sat, Apr 21, 2018 at 03:57:26AM +0300,
 Tapio Sokura <tapio.sokura at iki.fi> wrote 
 a message of 9 lines which said:

> Has there been thoughts about making the probes do dnssec resolver
> statistics gathering? I.e. how many / which probes are configured
> with dns resolvers that do / don't do dnssec validation?

It would be a cool system tag (although there are some issues, such as
probes with two resolvers, one validating and not the other).

In the mean time, you can measure:

% blaeu-resolve --displayvalidation -4 --requested 2000 atlas.ripe.net
Measurement #12283537 for atlas.ripe.net/AAAA uses 1999 probes
...
[ (Authentic Data flag)  2001:67c:2e8:22::c100:69e] : 821 occurrences 
[2001:67c:2e8:22::c100:69e] : 1071 occurrences 
[ERROR: FORMERR] : 7 occurrences 
[TIMEOUT(S)] : 19 occurrences 
[] : 1 occurrences 
[ (Authentic Data flag)   (TRUNCATED May have to use --ednssize)  2001:67c:2e8:22::c100:69e] : 2 occurrences 
[ERROR: SERVFAIL] : 1 occurrences 
Test #12283537 done at 2018-04-23T10:45:48Z

Basically, a small half of the probes used in this test have a validating
resolver. "Truncated" messages are bugs somewhere. Some resolvers are
probably buggy and do not like the DO bit, triggering FORMERR.

If you ask only IPv6 probes, you have a better result:

% ./blaeu-resolve --displayvalidation --requested 2000 atlas.ripe.net
[ (Authentic Data flag)  2001:67c:2e8:22::c100:69e] : 1049 occurrences 
[2001:67c:2e8:22::c100:69e] : 839 occurrences 
[TIMEOUT(S)] : 14 occurrences 
[ (Authentic Data flag)   (TRUNCATED May have to use --ednssize) ] : 1 occurrences 
[ (Authentic Data flag)   (TRUNCATED May have to use --ednssize)  2001:67c:2e8:22::c100:69e] : 1 occurrences 
[ (TRUNCATED May have to use --ednssize)  2001:67c:2e8:22::c100:69e] : 1 occurrences 
[ERROR: FORMERR] : 6 occurrences 
Test #12283509 done at 2018-04-23T10:34:34Z

Which makes sense, networks with IPv6 are probably "geekier".