[dns-operations] Research Project: Identifying DNSSEC Validators

ogud at ogud.com ogud at ogud.com
Thu Sep 6 14:50:44 UTC 2012


I can not reach the webserver on my laptop, running DNSSEC-trigger 
that has Unbound on the local machine, forwarding to a Unbound on a local router, 
that forwards to Unbound, Bind or Nominum  server. 

In short your setup assumes that there is only one recursive resolver between the user 
and authoritative server, that is not the case anymore :-) 

Why can't you just use DNSKEY RRset with TTL of few seconds 
to detect validating resolvers?


-----Original Message-----
From: "Wessels, Duane" <dwessels at verisign.com>
Sent: Wednesday, 5 September, 2012 13:40
To: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] Research Project: Identifying DNSSEC Validators

On Sep 5, 2012, at 3:48 AM, Stephane Bortzmeyer wrote:

>> It's really weird. The name servers are serving two versions of the zone,
>> one signed and one unsigned, and they seem to be alternating between
>> them.
> I assume it is on purpose, part of the experiment, to probe the
> resolver's behavior.

Yes, that is correct.  It is a relatively simple test.  First response
has RRISGs removed, second response within a short time leaves the
RRISGs in.

We find that most implementations will retry, although we know of one
that does not (Nominum/Vantio).  In this work we whitelist Nominum after
a followup version.bind query.

Duane W.
dns-operations mailing list
dns-operations at lists.dns-oarc.net
dns-jobs mailing list

More information about the dns-operations mailing list