Hi Shumon,

>  Do you plan to maintain the parent/child disjoint NS 
> domain (marigliano.xyz <http://marigliano.xyz>) going forward? And what
> about the test
> domains for other types of misconfigurations?

Great idea. Let me look into this, will get back to with that.

> Did you look at the potential problem of members of the child (or
> parent) NS sets emitting different information? I suspect that case
> also happens.

Yes, section 4 covers this (NSSet parent != NSSet child).

We have 4 scenarios, and we always query for the A record of
$probeid-$timestamp.marigliano.xyz

The trick was to configure different NSes to return different A answers,
so we knew which NS answer which query.

Is that what you refer?

(in the wild, tab1 shows that 2.1M domains in which the A of the NS
records from parent and child don't match at all -- that's a diff angle
from you question).


> Do you have any plans to look at the behavior of the large public
> resolvers?

That's a good idea, to answer this one, we need to configure the
scenarios again. Let me get back to you once I manage to get this setup
for other folks to test this too

/giovane

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to