MoinQ:

DNSSEC/validating-resolversについて、ここに記述してください。

http://www.ietf.org/mail-archive/web/dnsext/current/msg11127.html

DO=1 is ALL you require to do your own authentication 99.99999999% of the time.

CD=1 is ONLY needed when the upsteam is doing DNSSEC and its concept
of the current time and/or its set of trust anchors differ to yours.

CD=1 doesn't help you when the upstream is treating the zone the
answer comes from as insecure.

CD=0 DOES NOT mean you are not authenticating.

A validating resolver with direct access to the athoritative servers
can work around a number of operational errors by being able to
retry the query with different servers.

A validating resolver behind a cache does not have this recovery
path.  The EDNS option is designed to give it that recovery path.