From bortzmeyer at nic.fr  Fri Sep 21 08:19:27 2012
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Fri, 21 Sep 2012 10:19:27 +0200
Subject: [Dnssec-trigger] [matthaeus.wander@uni-due.de: Measuring Occurrence
 of DNSSEC Validation]
Message-ID: <20120921081927.GB16243@sources.org>

Because of the algorithm used, it seems their algorithm fails (false
negatives) for dnssec-trigger (or other cases where the DNS validator
forwards to a non-validating recursor). Annoying.

-------------- next part --------------
An embedded message was scrubbed...
From: Matth?us Wander <matthaeus.wander at uni-due.de>
Subject: Measuring Occurrence of DNSSEC Validation
Date: Fri, 14 Sep 2012 00:26:59 +0200
Size: 15764
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20120921/31c794d1/attachment.eml>

From matthaeus.wander at uni-due.de  Wed Sep 26 15:20:27 2012
From: matthaeus.wander at uni-due.de (=?ISO-8859-1?Q?Matth=E4us_Wander?=)
Date: Wed, 26 Sep 2012 17:20:27 +0200
Subject: [Dnssec-trigger] [matthaeus.wander@uni-due.de: Measuring
 Occurrence of DNSSEC Validation]
In-Reply-To: <20120921081927.GB16243@sources.org>
References: <20120921081927.GB16243@sources.org>
Message-ID: <50631D3B.9090006@uni-due.de>

Am 21.09.2012 10:19, schrieb Stephane Bortzmeyer:
> Because of the algorithm used, it seems their algorithm fails (false
> negatives) for dnssec-trigger (or other cases where the DNS validator
> forwards to a non-validating recursor). Annoying.

The test should return a positive result even with multiple DNS
forwarders if there is at least one validating resolver on the path that
removes invalid RRs.

You will get a negative result only if a query slips through without any
validation on the DNS path. This could happen if you're using
dnssec-trigger but a VPN or WiFi profile software sneaked a
non-validating resolver into your OS network configuration.

May I ask dnssec-trigger users to check for yourselves?
http://dnssec.vs.uni-due.de/

If you get a negative result, please let me know the test time or your
IP address, so that I can check our logs about what went wrong.

Thanks,
Matt

-- 
Universit?t Duisburg-Essen
Verteilte Systeme
Bismarckstr. 90 / BC 316
47057 Duisburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5156 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20120926/5499299f/attachment.bin>