>If a stub resolver (such as an IoT device) wants to know if the recursive >resolver >is doing DNSSEC validation, I'm not aware of any mechanism other than >doing a >query that they expect will be signed, and observing the AD bit.
Do you care more about false positives or false negatives? Usually for security it is most important to avoid false positives. So the first check should be a zone that is deliberately bogus. If a regular query fails with SERVFAIL and query with the CD flags succeeds then there is a good chance that the resolver is validating. The next test should be a DNSSEC insecure zone and check if the AD bit is clear. The last check, whether a zone that is signed results in the AD bit being set, might be omitted. The goal of this type of securty is to fail closed. Though it may help generate better error messages (assuming there is a way to show them). _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
