Duane, I can not reach the webserver on my laptop, running DNSSEC-trigger that has Unbound on the local machine, forwarding to a Unbound on a local router, that forwards to Unbound, Bind or Nominum server.
In short your setup assumes that there is only one recursive resolver between the user and authoritative server, that is not the case anymore :-) Why can't you just use DNSKEY RRset with TTL of few seconds to detect validating resolvers? Olafur -----Original Message----- From: "Wessels, Duane" <[email protected]> Sent: Wednesday, 5 September, 2012 13:40 To: "Stephane Bortzmeyer" <[email protected]> Cc: [email protected] Subject: Re: [dns-operations] Research Project: Identifying DNSSEC Validators On Sep 5, 2012, at 3:48 AM, Stephane Bortzmeyer wrote: > >> It's really weird. The name servers are serving two versions of the zone, >> one signed and one unsigned, and they seem to be alternating between >> them. > > I assume it is on purpose, part of the experiment, to probe the > resolver's behavior. Yes, that is correct. It is a relatively simple test. First response has RRISGs removed, second response within a short time leaves the RRISGs in. We find that most implementations will retry, although we know of one that does not (Nominum/Vantio). In this work we whitelist Nominum after a followup version.bind query. Duane W. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
