[dns-operations] Research Project: Identifying DNSSEC Validators

Ralf Weber Ralf.Weber at nominum.com
Thu Sep 6 18:43:39 UTC 2012


On 06.09.2012, at 19:43, "Wessels, Duane" <dwessels at verisign.com> wrote:
> I wouldn't say our setup assumes only one recursive in the path, but it certainly
> does assume the validator will retry.  In our tests most implementations do retry.
> Nominum doesn't of course, and we have numerous reports that Unbound doesn't always
> retry.  So either its version-dependent or something else is going on.
The protocol doesn't mandate a resolver to retry, so it's not a requirement and the white listing that you do for Vantio also only works in the case where you can query the resolver inbound from the Internet on the query source IP. Something that you can not take for granted and the reason why the resolver behind my home gateway did not work. 

The approach from Matthäus described earlier in the thread using javascript and two pics, one validating and one not seems cleaner to me and can deal with all the cases Olafur, myself and others had problems with. 

So long
Ralf Weber
Senior Infrastructure Architect
Nominum Inc.
2000 Seaport Blvd. Suite 400 
Redwood City, California 94063
ralf.weber at nominum.com

More information about the dns-operations mailing list