[dns-operations] Validating or not validating (ICANN controlled interruption)

David Conrad drc at virtualized.org
Wed Sep 3 21:49:10 UTC 2014


But isn’t it better we shake these sorts of things out now?


On Sep 3, 2014, at 5:41 AM, Rubens Kuhl <rubensk at nic.br> wrote:

> What I can tell you is that registries and applicants suggested ICANN to not require DNSSEC-signign of wildcard controlled interruption due to likely differences in resolver behaviour, including some known bugs. 
> Rubens
> On Sep 3, 2014, at 4:00 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>> BIND validates "A nimportequoi.otsuka" and yields an answer with AD bit
>> set.
>> Unbound gives back the answer but without the AD bit.
>> [Try it yourself, 'dig @unbound.odvr.dns-oarc.net A
>> nimportequoi.otsuka' and 'dig @bind.odvr.dns-oarc.net A nimportequoi.otsuka']
>> In some cases (difficult to pinpoint, depending on the resolver's
>> state), both BIND and Unbound return SERVFAIL.
>> Who's right?
>> PS: dnsviz claims that names like eb2dz5xm4s.otsuka are "secure,
>> non-existent" while they elicit an answer.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140903/1586f82b/attachment.sig>

More information about the dns-operations mailing list