What I can tell you is that registries and applicants suggested ICANN to not require DNSSEC-signign of wildcard controlled interruption due to likely differences in resolver behaviour, including some known bugs.
Rubens On Sep 3, 2014, at 4:00 AM, Stephane Bortzmeyer <[email protected]> wrote: > BIND validates "A nimportequoi.otsuka" and yields an answer with AD bit > set. > > Unbound gives back the answer but without the AD bit. > > [Try it yourself, 'dig @unbound.odvr.dns-oarc.net A > nimportequoi.otsuka' and 'dig @bind.odvr.dns-oarc.net A nimportequoi.otsuka'] > > In some cases (difficult to pinpoint, depending on the resolver's > state), both BIND and Unbound return SERVFAIL. > > Who's right? > > PS: dnsviz claims that names like eb2dz5xm4s.otsuka are "secure, > non-existent" while they elicit an answer. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
