[dns-operations] Validating or not validating (ICANN controlled interruption)
Rubens Kuhl
rubensk at nic.br
Wed Sep 3 12:41:13 UTC 2014
What I can tell you is that registries and applicants suggested ICANN to not require DNSSEC-signign of wildcard controlled interruption due to likely differences in resolver behaviour, including some known bugs.
Rubens
On Sep 3, 2014, at 4:00 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> BIND validates "A nimportequoi.otsuka" and yields an answer with AD bit
> set.
>
> Unbound gives back the answer but without the AD bit.
>
> [Try it yourself, 'dig @unbound.odvr.dns-oarc.net A
> nimportequoi.otsuka' and 'dig @bind.odvr.dns-oarc.net A nimportequoi.otsuka']
>
> In some cases (difficult to pinpoint, depending on the resolver's
> state), both BIND and Unbound return SERVFAIL.
>
> Who's right?
>
> PS: dnsviz claims that names like eb2dz5xm4s.otsuka are "secure,
> non-existent" while they elicit an answer.
More information about the dns-operations
mailing list