[dns-operations] Research Project: Identifying DNSSEC Validators
ogud at ogud.com
ogud at ogud.com
Thu Sep 6 14:50:44 UTC 2012
Duane,
I can not reach the webserver on my laptop, running DNSSEC-trigger
that has Unbound on the local machine, forwarding to a Unbound on a local router,
that forwards to Unbound, Bind or Nominum server.
In short your setup assumes that there is only one recursive resolver between the user
and authoritative server, that is not the case anymore :-)
Why can't you just use DNSKEY RRset with TTL of few seconds
to detect validating resolvers?
Olafur
-----Original Message-----
From: "Wessels, Duane" <dwessels at verisign.com>
Sent: Wednesday, 5 September, 2012 13:40
To: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] Research Project: Identifying DNSSEC Validators
On Sep 5, 2012, at 3:48 AM, Stephane Bortzmeyer wrote:
>
>> It's really weird. The name servers are serving two versions of the zone,
>> one signed and one unsigned, and they seem to be alternating between
>> them.
>
> I assume it is on purpose, part of the experiment, to probe the
> resolver's behavior.
Yes, that is correct. It is a relatively simple test. First response
has RRISGs removed, second response within a short time leaves the
RRISGs in.
We find that most implementations will retry, although we know of one
that does not (Nominum/Vantio). In this work we whitelist Nominum after
a followup version.bind query.
Duane W.
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list