Rubens, <hatless> But isn’t it better we shake these sorts of things out now? </hatless>
Regards, -drc On Sep 3, 2014, at 5:41 AM, Rubens Kuhl <rube...@nic.br> wrote: > > What I can tell you is that registries and applicants suggested ICANN to not > require DNSSEC-signign of wildcard controlled interruption due to likely > differences in resolver behaviour, including some known bugs. > > Rubens > > On Sep 3, 2014, at 4:00 AM, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > >> BIND validates "A nimportequoi.otsuka" and yields an answer with AD bit >> set. >> >> Unbound gives back the answer but without the AD bit. >> >> [Try it yourself, 'dig @unbound.odvr.dns-oarc.net A >> nimportequoi.otsuka' and 'dig @bind.odvr.dns-oarc.net A nimportequoi.otsuka'] >> >> In some cases (difficult to pinpoint, depending on the resolver's >> state), both BIND and Unbound return SERVFAIL. >> >> Who's right? >> >> PS: dnsviz claims that names like eb2dz5xm4s.otsuka are "secure, >> non-existent" while they elicit an answer. > > > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
