On 25. 06. 25 11:42, Willem Toorop wrote:
Hi Petr,
Thanks for this. This will also be very helpful implementing the /
scoped/ strict and opportunistic validation (on the roadmap for Unbound).
Would it be possible for you to provision the name servers for
testiscorg.ch (ns[1-4].as207960.net. ) to send along an agent domain
with an EDNS0 Report-Channel option, so we can test reporting of the
mismatch as well? (as described in the fourth paragraph of Section 3.
Upgrading NS RRset Credibility <https://www.ietf.org/archive/id/draft-
ietf-dnsop-ns-revalidation-10.html#name-upgrading-ns-rrset-credibil>)
>> Would it also be possible for you to provision the name servers for the
test domains to send along an agent domain with an EDNS0 Report-Channel
option? To also test reporting to the child domain (even though this is
optional in the draft).
Unfortunately these servers are not under our control, it is throw-away
test domain.
I've poked at possibility of moving it on our own infrastructure but it
would be more involved and ran out of time. Sorry!
I hope so,
Thanks!
-- Willem
Op 28-04-2025 om 18:16 schreef Petr Špaček:
Hello dnsop.
Here's a little test bed to enable testing the running code (in
Unbound) and to help evaluating the proposed protocol:
child-bogus-a.nsreval.testiscorg.ch.
child-bogus-ns.nsreval.testiscorg.ch.
child-short-ttl.nsreval.testiscorg.ch.
TXT RRs on apex will give you more details about each zone.
Generally, parent and child zones disagree on either NS name or NS
TTL. tcpdump usage is advisable to detect where queries are being sent
and at what frequency.
Please e-mail me in case it does not work or something is unclear. HTH!
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
