[dns-operations] Research Project: Identifying DNSSEC Validators

Wessels, Duane dwessels at verisign.com
Wed Sep 5 17:40:03 UTC 2012

On Sep 5, 2012, at 3:48 AM, Stephane Bortzmeyer wrote:

>> It's really weird. The name servers are serving two versions of the zone,
>> one signed and one unsigned, and they seem to be alternating between
>> them.
> I assume it is on purpose, part of the experiment, to probe the
> resolver's behavior.

Yes, that is correct.  It is a relatively simple test.  First response
has RRISGs removed, second response within a short time leaves the
RRISGs in.

We find that most implementations will retry, although we know of one
that does not (Nominum/Vantio).  In this work we whitelist Nominum after
a followup version.bind query.

Duane W.

More information about the dns-operations mailing list