[Dnssec-trigger] [matthaeus.wander at uni-due.de: Measuring Occurrence of DNSSEC Validation]

Matthäus Wander matthaeus.wander at uni-due.de
Wed Sep 26 15:20:27 UTC 2012

Am 21.09.2012 10:19, schrieb Stephane Bortzmeyer:
> Because of the algorithm used, it seems their algorithm fails (false
> negatives) for dnssec-trigger (or other cases where the DNS validator
> forwards to a non-validating recursor). Annoying.

The test should return a positive result even with multiple DNS
forwarders if there is at least one validating resolver on the path that
removes invalid RRs.

You will get a negative result only if a query slips through without any
validation on the DNS path. This could happen if you're using
dnssec-trigger but a VPN or WiFi profile software sneaked a
non-validating resolver into your OS network configuration.

May I ask dnssec-trigger users to check for yourselves?

If you get a negative result, please let me know the test time or your
IP address, so that I can check our logs about what went wrong.


Universität Duisburg-Essen
Verteilte Systeme
Bismarckstr. 90 / BC 316
47057 Duisburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5156 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.nlnetlabs.nl/pipermail/dnssec-trigger/attachments/20120926/5499299f/attachment.bin>

More information about the dnssec-trigger mailing list