[dns-operations] Research Project: Identifying DNSSEC Validators
Wessels, Duane
dwessels at verisign.com
Wed Sep 5 17:40:03 UTC 2012
On Sep 5, 2012, at 3:48 AM, Stephane Bortzmeyer wrote:
>
>> It's really weird. The name servers are serving two versions of the zone,
>> one signed and one unsigned, and they seem to be alternating between
>> them.
>
> I assume it is on purpose, part of the experiment, to probe the
> resolver's behavior.
Yes, that is correct. It is a relatively simple test. First response
has RRISGs removed, second response within a short time leaves the
RRISGs in.
We find that most implementations will retry, although we know of one
that does not (Nominum/Vantio). In this work we whitelist Nominum after
a followup version.bind query.
Duane W.
More information about the dns-operations
mailing list