[dns-operations] Validating or not validating (ICANN controlled interruption)
David Conrad
drc at virtualized.org
Wed Sep 3 21:49:10 UTC 2014
Rubens,
<hatless>
But isn’t it better we shake these sorts of things out now?
</hatless>
Regards,
-drc
On Sep 3, 2014, at 5:41 AM, Rubens Kuhl <rubensk at nic.br> wrote:
>
> What I can tell you is that registries and applicants suggested ICANN to not require DNSSEC-signign of wildcard controlled interruption due to likely differences in resolver behaviour, including some known bugs.
>
> Rubens
>
> On Sep 3, 2014, at 4:00 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>
>> BIND validates "A nimportequoi.otsuka" and yields an answer with AD bit
>> set.
>>
>> Unbound gives back the answer but without the AD bit.
>>
>> [Try it yourself, 'dig @unbound.odvr.dns-oarc.net A
>> nimportequoi.otsuka' and 'dig @bind.odvr.dns-oarc.net A nimportequoi.otsuka']
>>
>> In some cases (difficult to pinpoint, depending on the resolver's
>> state), both BIND and Unbound return SERVFAIL.
>>
>> Who's right?
>>
>> PS: dnsviz claims that names like eb2dz5xm4s.otsuka are "secure,
>> non-existent" while they elicit an answer.
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140903/1586f82b/attachment.sig>
More information about the dns-operations
mailing list