[dns-operations] google DNS doing validation?

Joe Abley jabley at hopcount.ca
Mon Jan 28 16:35:18 UTC 2013 

Hi all,

I haven't seen anybody else mention this out loud, but since early last week (doing a DNSSEC workshop with NSRC at NZNOG 2013) we saw 8.8.8.8 giving secure answers when queried with EDNS0/DO=1.

The responding node of 8.8.8.8 we saw in Wellington was in Sydney, I think (routing out through REANZ) but I see the same thing from my desk at home so perhaps this is a widespread change.

8.8.8.8 doesn't seem to support NSID, ID.SERVER/CH/TXT or HOSTNAME.BIND/CH/TXT but I included a traceroute in case anybody is interested.

The FAQ still says that responses are not validated, but perhaps there is a documentation gap. <https://developers.google.com/speed/public-dns/faq#dnssec>


Joe

[krill:~]% dig @8.8.8.8 hopcount.ca MX +dnssec 

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 hopcount.ca MX +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21782
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;hopcount.ca.			IN	MX

;; ANSWER SECTION:
hopcount.ca.		21451	IN	MX	10 mail.hopcount.ca.
hopcount.ca.		21451	IN	RRSIG	MX 5 2 86400 20130218080658 20130119073027 37548 hopcount.ca. nZCKjUeb/yw6WKJjnHAkuGUWQJ4z0bAZ5A4Q/TCeUXHTlLXW/a9Ax8Aj Dw/CymTAWDisKW2yAhi2M9iU5xeQog1+gHmPL+laqsDsEPweYV21+o1W Zbb5jHyZKxlMqkW0QYaly4aE7USC4RLqAW+zJkP78Jz0qe/yy1mjddW0 6Ec=

;; Query time: 102 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 28 11:32:45 2013
;; MSG SIZE  rcvd: 232

[krill:~]% 
[krill:~]% traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  office.r1.owls.hopcount.ca (199.212.90.1)  2.328 ms  1.608 ms  1.863 ms
 2  216.235.0.30 (216.235.0.30)  55.019 ms  54.184 ms  55.669 ms
 3  216.235.0.133 (216.235.0.133)  66.517 ms  62.202 ms  57.321 ms
 4  gw-google.torontointernetxchange.net (206.108.34.6)  84.828 ms  53.842 ms  57.366 ms
 5  209.85.255.232 (209.85.255.232)  53.916 ms
    216.239.47.114 (216.239.47.114)  55.641 ms  56.410 ms
 6  72.14.236.224 (72.14.236.224)  75.079 ms
    72.14.236.226 (72.14.236.226)  75.515 ms  74.957 ms
 7  209.85.249.11 (209.85.249.11)  81.529 ms
    72.14.239.93 (72.14.239.93)  81.668 ms
    209.85.249.11 (209.85.249.11)  79.977 ms
 8  72.14.238.16 (72.14.238.16)  80.152 ms  80.997 ms
    72.14.238.18 (72.14.238.18)  80.736 ms
 9  72.14.232.21 (72.14.232.21)  79.942 ms  93.158 ms  93.146 ms
10  google-public-dns-a.google.com (8.8.8.8)  80.808 ms  80.641 ms  79.708 ms
[krill:~]% 




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130128/88d4cfe3/attachment.sig>

More information about the dns-operations mailing list