Reply to comment:

Geoff Huston
Thanks indeed for your comments. The ability for DNS recursive resolvers and DNS forwarders to chain in sequence is well made. You are correct in that the authoritative nameserver receives queries from a some form of DNS resolver, and its not entirely clear whether the resolver is a recursive resolver that is performing DNSSEC validation, or it's a simple forwarder that has a number of resolvers "behind" it, some of which perform DNSSEC-validation and some may not. The measurement methodology we used here made some generous assumptions here, in that if we saw DNSKEY RR queries from a resolver then we assumed that the resolver was a DNSSEC validating resolver. It would perhaps be more careful to claim that what this DNSKEY RR query actually means was that either this is a DNSSEC-validating resolver, or that this is a DNS forwarder and one of more DNSEC-validating resolvers lie behind this resolver. Using the queries gathered at an authoritative name server to infer the behaviour of DNS resolvers is of course an exercise that involves a set of assumptions that are in effect generous in terms of counting the DNSSEC-validating resolvers. Yes, the numbers presented here are a somewhat rosy view of the DNSSEC world. We have some further results to report in a few days that qualify some of these numbers by considering the client behaviour when resolving names.