On Sep 5, 2012, at 3:48 AM, Stephane Bortzmeyer wrote: > >> It's really weird. The name servers are serving two versions of the zone, >> one signed and one unsigned, and they seem to be alternating between >> them. > > I assume it is on purpose, part of the experiment, to probe the > resolver's behavior.
Yes, that is correct. It is a relatively simple test. First response has RRISGs removed, second response within a short time leaves the RRISGs in. We find that most implementations will retry, although we know of one that does not (Nominum/Vantio). In this work we whitelist Nominum after a followup version.bind query. Duane W. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
