On Sep 6, 2012, at 7:50 AM, [email protected] wrote: > Duane, > > I can not reach the webserver on my laptop, running DNSSEC-trigger
We changed the RRSIG-remover so that it won't remove the signatures from "validatorsearch.verisignlabs.com" itself. Hopefully that allows you to view the page now. > that has Unbound on the local machine, forwarding to a Unbound on a local > router, > that forwards to Unbound, Bind or Nominum server. > > In short your setup assumes that there is only one recursive resolver between > the user > and authoritative server, that is not the case anymore :-) I wouldn't say our setup assumes only one recursive in the path, but it certainly does assume the validator will retry. In our tests most implementations do retry. Nominum doesn't of course, and we have numerous reports that Unbound doesn't always retry. So either its version-dependent or something else is going on. > > Why can't you just use DNSKEY RRset with TTL of few seconds > to detect validating resolvers? > Sorry, I don't quite follow. We were looking for more evidence than "I sent a DNSKEY query so therefore I must be a validator." DW _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
