Stephan Lagerholm (stephan.lagerholm) writes:
> Not sure about that.
>
> I get the AD bit back but oddly enough, the Swedish deliberately broken site
> trasigdnssec.se does not servfail on the 8.8.8.8/8.8.4.4 but it does on the
> google dns v6 address:
I've observed this as well: records with valid signatures get
validated and I see the AD bit, but broken ones (different
zone) aren't validated and returned as is.
Some sort of balancing or hashing based on the types of queries (or
plain round robin) ?
What if one tests with secure and bogus RRsets within the same zone ?
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
