[dns-operations] google DNS doing validation?

Stephan Lagerholm stephan.lagerholm at secure64.com
Mon Jan 28 17:14:16 UTC 2013 

Not sure about that.

I get the AD bit back but oddly enough, the Swedish deliberately broken site trasigdnssec.se does not servfail on the 8.8.8.8/8.8.4.4 but it does on the google dns v6 address:

stephan at pi:~$ dig @8.8.8.8 trasigdnssec.se +dnssec

; <<>> DiG 9.6-ESV-R1 <<>> @8.8.8.8 trasigdnssec.se +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58525
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;trasigdnssec.se.               IN      A

;; ANSWER SECTION:
trasigdnssec.se.        167     IN      A       212.247.206.40

;; Query time: 10 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 28 18:10:31 2013
;; MSG SIZE  rcvd: 60

stephan at pi:~$ dig @2001:4860:4860::8888 trasigdnssec.se +dnssec

; <<>> DiG 9.6-ESV-R1 <<>> @2001:4860:4860::8888 trasigdnssec.se +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45259
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;trasigdnssec.se.               IN      A

;; Query time: 68 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Mon Jan 28 18:10:40 2013
;; MSG SIZE  rcvd: 44




> -----Original Message-----
> From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-
> bounces at lists.dns-oarc.net] On Behalf Of Frederico A C Neves
> Sent: Monday, January 28, 2013 11:06 AM
> To: Joe Abley
> Cc: dns-operations at mail.dns-oarc.net List
> Subject: Re: [dns-operations] google DNS doing validation?
> 
> Hi Joe,
> 
> Yes it has all the signs that it's actually doing real validation. This
> is from a São Paulo node. Follows valid, failed signed records and a
> traceroute.
> 
> Fred
> 
> ~$ dig @8.8.8.8 registro.br a +dnssec +m
> 
> ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 registro.br a +dnssec +m ; (1 server
> found) ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54463 ;; flags: qr
> rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL:
> ; 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;registro.br.		IN A
> 
> ;; ANSWER SECTION:
> registro.br.		5912 IN	A 200.160.2.3
> registro.br.		5912 IN	RRSIG A 5 2 172800 20130319113229 (
> 				20130108113229 54964 registro.br.
> 				M600GFMEi0vlGdW0mt9ZuT4zD8fV+vSTAVBkEW3gDaJo
> 				zhImRxIT0mSy8XzNLwWyqLqqS0db6muQkTxjOWpnWlH8
> 				hcMsaJp/4zCu8/+43Sfp5VCZMw01mhwCN3Z9tF6is+aU
> 				sDUTnlRfu2BQjrFzqHzPvsm5jNLYQSGFx+3tpJ6DX11M
> 				lkME+YBCmCYeUmL8 )
> 
> ;; Query time: 2 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Mon Jan 28 14:38:13 2013
> ;; MSG SIZE  rcvd: 243
> 
> ~$ dig @8.8.8.8 signfail.ceptro.br a +dnssec +m
> 
> ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 signfail.ceptro.br a +dnssec +m ; (1
> server found) ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12149 ;; flags: qr
> rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;signfail.ceptro.br.	IN A
> 
> ;; Query time: 19 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Mon Jan 28 14:57:27 2013
> ;; MSG SIZE  rcvd: 47
> 
> ~$ traceroute -q 1 8.8.8.8
> traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
>  1  xe-1-0-1.2.ar1.in.REGISTRO.BR (200.160.3.65)  0.376 ms
>  2  ae0-0.core1.nu.registro.br (200.160.0.253)  0.594 ms
>  3  xe-0-0-0-0.gw2.nu.registro.br (200.160.0.171)  0.717 ms
>  4  as15169.sp.ptt.br (187.16.216.55)  1.059 ms
>  5  209.85.243.200 (209.85.243.200)  1.887 ms
>  6  72.14.233.91 (72.14.233.91)  1.488 ms
>  7  64.233.175.18 (64.233.175.18)  3.067 ms
>  8  google-public-dns-a.google.com (8.8.8.8)  1.708 ms
> 
> On Mon, Jan 28, 2013 at 11:35:18AM -0500, Joe Abley wrote:
> > Hi all,
> >
> > I haven't seen anybody else mention this out loud, but since early
> last week (doing a DNSSEC workshop with NSRC at NZNOG 2013) we saw
> 8.8.8.8 giving secure answers when queried with EDNS0/DO=1.
> >
> > The responding node of 8.8.8.8 we saw in Wellington was in Sydney, I
> think (routing out through REANZ) but I see the same thing from my desk
> at home so perhaps this is a widespread change.
> >
> > 8.8.8.8 doesn't seem to support NSID, ID.SERVER/CH/TXT or
> HOSTNAME.BIND/CH/TXT but I included a traceroute in case anybody is
> interested.
> >
> > The FAQ still says that responses are not validated, but perhaps
> there
> > is a documentation gap.
> > <https://developers.google.com/speed/public-dns/faq#dnssec>
> >
> >
> > Joe
> >
> > [krill:~]% dig @8.8.8.8 hopcount.ca MX +dnssec
> >
> > ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 hopcount.ca MX +dnssec ; (1 server
> > found) ;; global options: +cmd ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21782 ;; flags:
> qr
> > rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION:
> > ;hopcount.ca.			IN	MX
> >
> > ;; ANSWER SECTION:
> > hopcount.ca.		21451	IN	MX	10 mail.hopcount.ca.
> > hopcount.ca.		21451	IN	RRSIG	MX 5 2 86400 20130218080658
> 20130119073027 37548 hopcount.ca.
> nZCKjUeb/yw6WKJjnHAkuGUWQJ4z0bAZ5A4Q/TCeUXHTlLXW/a9Ax8Aj
> Dw/CymTAWDisKW2yAhi2M9iU5xeQog1+gHmPL+laqsDsEPweYV21+o1W
> Zbb5jHyZKxlMqkW0QYaly4aE7USC4RLqAW+zJkP78Jz0qe/yy1mjddW0 6Ec=
> >
> > ;; Query time: 102 msec
> > ;; SERVER: 8.8.8.8#53(8.8.8.8)
> > ;; WHEN: Mon Jan 28 11:32:45 2013
> > ;; MSG SIZE  rcvd: 232
> >
> > [krill:~]%
> > [krill:~]% traceroute 8.8.8.8
> > traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
> >  1  office.r1.owls.hopcount.ca (199.212.90.1)  2.328 ms  1.608 ms
> > 1.863 ms
> >  2  216.235.0.30 (216.235.0.30)  55.019 ms  54.184 ms  55.669 ms
> >  3  216.235.0.133 (216.235.0.133)  66.517 ms  62.202 ms  57.321 ms
> >  4  gw-google.torontointernetxchange.net (206.108.34.6)  84.828 ms
> > 53.842 ms  57.366 ms
> >  5  209.85.255.232 (209.85.255.232)  53.916 ms
> >     216.239.47.114 (216.239.47.114)  55.641 ms  56.410 ms
> >  6  72.14.236.224 (72.14.236.224)  75.079 ms
> >     72.14.236.226 (72.14.236.226)  75.515 ms  74.957 ms
> >  7  209.85.249.11 (209.85.249.11)  81.529 ms
> >     72.14.239.93 (72.14.239.93)  81.668 ms
> >     209.85.249.11 (209.85.249.11)  79.977 ms
> >  8  72.14.238.16 (72.14.238.16)  80.152 ms  80.997 ms
> >     72.14.238.18 (72.14.238.18)  80.736 ms
> >  9  72.14.232.21 (72.14.232.21)  79.942 ms  93.158 ms  93.146 ms
> > 10  google-public-dns-a.google.com (8.8.8.8)  80.808 ms  80.641 ms
> > 79.708 ms [krill:~]%
> >
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list