DNSSEC/validating-resolversについて、ここに記述してください。
http://www.ietf.org/mail-archive/web/dnsext/current/msg11127.html
DO=1 is ALL you require to do your own authentication 99.99999999% of the time. CD=1 is ONLY needed when the upsteam is doing DNSSEC and its concept of the current time and/or its set of trust anchors differ to yours. CD=1 doesn't help you when the upstream is treating the zone the answer comes from as insecure. CD=0 DOES NOT mean you are not authenticating. A validating resolver with direct access to the athoritative servers can work around a number of operational errors by being able to retry the query with different servers. A validating resolver behind a cache does not have this recovery path. The EDNS option is designed to give it that recovery path.