[dns-operations] google DNS doing validation?

Phil Regnauld regnauld at nsrc.org
Mon Jan 28 17:25:46 UTC 2013

Stephan Lagerholm (stephan.lagerholm) writes:
> Not sure about that.
> I get the AD bit back but oddly enough, the Swedish deliberately broken site trasigdnssec.se does not servfail on the but it does on the google dns v6 address:

	I've observed this as well: records with valid signatures get
	validated and I see the AD bit, but broken ones (different
	zone) aren't validated and returned as is.

	Some sort of balancing or hashing based on the types of queries (or
	plain round robin) ?

	What if one tests with secure and bogus RRsets within the same zone ?

More information about the dns-operations mailing list