We found three different behaviors across resolvers with respect to fetching after the TTL expire. Different versions of BIND behaved differently. When you populate the test bed, make sure include examples of all three. The testing process should include heavy flow to test what we called "child sticky" behavior. The resolver stretches the TTL when the volume of lookups is sufficient. The other two types are parent centric and child centric (non sticky).
Steve Sent from my iPhone > On Aug 11, 2014, at 9:45 AM, David Conrad <[email protected]> wrote: > > Hi, > > I’m trying to collect an exhaustive list of (production-quality) DNSSEC > validating resolvers. The ones I know of so far are: > > BIND > Unbound > Nominum Vantio > Google Public DNS > > Any others? > > (From looking at the website, PowerDNS Recursor doesn’t appear to validate > but I might be missing the obvious…) > > Thanks, > -drc >
