[dns-operations] Research Project: Identifying DNSSEC Validators

Wessels, Duane dwessels at verisign.com
Thu Sep 6 17:43:12 UTC 2012

On Sep 6, 2012, at 7:50 AM, ogud at ogud.com wrote:

> Duane, 
> I can not reach the webserver on my laptop, running DNSSEC-trigger 

We changed the RRSIG-remover so that it won't remove the signatures
from "validatorsearch.verisignlabs.com" itself.  Hopefully that
allows you to view the page now.

> that has Unbound on the local machine, forwarding to a Unbound on a local router, 
> that forwards to Unbound, Bind or Nominum  server. 
> In short your setup assumes that there is only one recursive resolver between the user 
> and authoritative server, that is not the case anymore :-)

I wouldn't say our setup assumes only one recursive in the path, but it certainly
does assume the validator will retry.  In our tests most implementations do retry.
Nominum doesn't of course, and we have numerous reports that Unbound doesn't always
retry.  So either its version-dependent or something else is going on.

> Why can't you just use DNSKEY RRset with TTL of few seconds 
> to detect validating resolvers?

Sorry, I don't quite follow.  We were looking for more evidence
than "I sent a DNSKEY query so therefore I must be a validator."


More information about the dns-operations mailing list