On Wed, Jul 08, 2020 at 09:15:02PM +0200, Stephane Bortzmeyer <[email protected]> wrote a message of 57 lines which said:
> No. My BIND and Unbound personal resolvers (which do not have a NTA) > get a reply and set AD. There are probably several different instances for each authoritative server of grantee.fema.gov, and they behave differently. Here, seen by the RIPE Atlas probes, you can se that some probes can get a DNSKEY (when using the DO bit) and some cannot (timeout): % blaeu-resolve -4 -r 100 --nameserver ns-dc2gtm1.dhs.gov. --type DNSKEY --dnssec grantee.fema.gov. Nameserver ns-dc2gtm1.dhs.gov. [TIMEOUT] : 37 occurrences [256 3 10 aweaabvxfgryn7jl7igk3k7zpjbmvovaepmsbnn/lsugzqz6pjgz6y3/7geibgg3 ubrwa 256 3 10 aweaachfofxdoii8+/ljej5ctuursgky h3ydxjf6t/wurehzelr77yi0i8tmcpyibmo6a 257 3 10 aweaabronsypatfnhwvyn0ipda3l6hp5zwzc2i2mlxts85hvsdnhpghirwzjaio mob3e 257 3 10 aweaadfgkwupgfkp7qayvzzcrs5jza2d jlkzqkwrg90wxdvo5anbrxncoiw3kzv0 ugj+k] : 61 occurrences [ERROR: SERVFAIL] : 2 occurrences Test #26219900 done at 2020-07-08T19:19:20Z Probably because they do to different instances of ns-dc2gtm1.dhs.gov. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
