[dns-operations] google DNS doing validation?

Frederico A C Neves fneves at registro.br
Mon Jan 28 17:05:42 UTC 2013 

Hi Joe,

Yes it has all the signs that it's actually doing real
validation. This is from a São Paulo node. Follows valid, failed
signed records and a traceroute.

Fred

~$ dig @8.8.8.8 registro.br a +dnssec +m

; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 registro.br a +dnssec +m
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54463
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL:
; 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;registro.br.		IN A

;; ANSWER SECTION:
registro.br.		5912 IN	A 200.160.2.3
registro.br.		5912 IN	RRSIG A 5 2 172800 20130319113229 (
				20130108113229 54964 registro.br.
				M600GFMEi0vlGdW0mt9ZuT4zD8fV+vSTAVBkEW3gDaJo
				zhImRxIT0mSy8XzNLwWyqLqqS0db6muQkTxjOWpnWlH8
				hcMsaJp/4zCu8/+43Sfp5VCZMw01mhwCN3Z9tF6is+aU
				sDUTnlRfu2BQjrFzqHzPvsm5jNLYQSGFx+3tpJ6DX11M
				lkME+YBCmCYeUmL8 )

;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 28 14:38:13 2013
;; MSG SIZE  rcvd: 243

~$ dig @8.8.8.8 signfail.ceptro.br a +dnssec +m

; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 signfail.ceptro.br a +dnssec +m
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12149
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;signfail.ceptro.br.	IN A

;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 28 14:57:27 2013
;; MSG SIZE  rcvd: 47

~$ traceroute -q 1 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  xe-1-0-1.2.ar1.in.REGISTRO.BR (200.160.3.65)  0.376 ms
 2  ae0-0.core1.nu.registro.br (200.160.0.253)  0.594 ms
 3  xe-0-0-0-0.gw2.nu.registro.br (200.160.0.171)  0.717 ms
 4  as15169.sp.ptt.br (187.16.216.55)  1.059 ms
 5  209.85.243.200 (209.85.243.200)  1.887 ms
 6  72.14.233.91 (72.14.233.91)  1.488 ms
 7  64.233.175.18 (64.233.175.18)  3.067 ms
 8  google-public-dns-a.google.com (8.8.8.8)  1.708 ms

On Mon, Jan 28, 2013 at 11:35:18AM -0500, Joe Abley wrote:
> Hi all,
> 
> I haven't seen anybody else mention this out loud, but since early last week (doing a DNSSEC workshop with NSRC at NZNOG 2013) we saw 8.8.8.8 giving secure answers when queried with EDNS0/DO=1.
> 
> The responding node of 8.8.8.8 we saw in Wellington was in Sydney, I think (routing out through REANZ) but I see the same thing from my desk at home so perhaps this is a widespread change.
> 
> 8.8.8.8 doesn't seem to support NSID, ID.SERVER/CH/TXT or HOSTNAME.BIND/CH/TXT but I included a traceroute in case anybody is interested.
> 
> The FAQ still says that responses are not validated, but perhaps there is a documentation gap. <https://developers.google.com/speed/public-dns/faq#dnssec>
> 
> 
> Joe
> 
> [krill:~]% dig @8.8.8.8 hopcount.ca MX +dnssec 
> 
> ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 hopcount.ca MX +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21782
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;hopcount.ca.			IN	MX
> 
> ;; ANSWER SECTION:
> hopcount.ca.		21451	IN	MX	10 mail.hopcount.ca.
> hopcount.ca.		21451	IN	RRSIG	MX 5 2 86400 20130218080658 20130119073027 37548 hopcount.ca. nZCKjUeb/yw6WKJjnHAkuGUWQJ4z0bAZ5A4Q/TCeUXHTlLXW/a9Ax8Aj Dw/CymTAWDisKW2yAhi2M9iU5xeQog1+gHmPL+laqsDsEPweYV21+o1W Zbb5jHyZKxlMqkW0QYaly4aE7USC4RLqAW+zJkP78Jz0qe/yy1mjddW0 6Ec=
> 
> ;; Query time: 102 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Mon Jan 28 11:32:45 2013
> ;; MSG SIZE  rcvd: 232
> 
> [krill:~]% 
> [krill:~]% traceroute 8.8.8.8
> traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
>  1  office.r1.owls.hopcount.ca (199.212.90.1)  2.328 ms  1.608 ms  1.863 ms
>  2  216.235.0.30 (216.235.0.30)  55.019 ms  54.184 ms  55.669 ms
>  3  216.235.0.133 (216.235.0.133)  66.517 ms  62.202 ms  57.321 ms
>  4  gw-google.torontointernetxchange.net (206.108.34.6)  84.828 ms  53.842 ms  57.366 ms
>  5  209.85.255.232 (209.85.255.232)  53.916 ms
>     216.239.47.114 (216.239.47.114)  55.641 ms  56.410 ms
>  6  72.14.236.224 (72.14.236.224)  75.079 ms
>     72.14.236.226 (72.14.236.226)  75.515 ms  74.957 ms
>  7  209.85.249.11 (209.85.249.11)  81.529 ms
>     72.14.239.93 (72.14.239.93)  81.668 ms
>     209.85.249.11 (209.85.249.11)  79.977 ms
>  8  72.14.238.16 (72.14.238.16)  80.152 ms  80.997 ms
>     72.14.238.18 (72.14.238.18)  80.736 ms
>  9  72.14.232.21 (72.14.232.21)  79.942 ms  93.158 ms  93.146 ms
> 10  google-public-dns-a.google.com (8.8.8.8)  80.808 ms  80.641 ms  79.708 ms
> [krill:~]% 
>

More information about the dns-operations mailing list