[dns-operations] google DNS doing validation?
Joe Abley
jabley at hopcount.ca
Mon Jan 28 17:32:09 UTC 2013
On 2013-01-28, at 12:14, Hauke Lampe <lampe at hauke-lampe.de> wrote:
> It appears they're validating _only_ when queried with DO=1:
Yeah.
> dig badsig.dnstest.hauke-lampe.de @8.8.8.8 -> status: NOERROR
> dig +dnssec badsig.dnstest.hauke-lampe.de @8.8.8.8 -> status: SERVFAIL
They do the right thing with CD=1, DO=1:
[krill:~]% dig @8.8.8.8 badsig.dnstest.hauke-lampe.de A +dnssec +cd +noall +comments +answer
; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 badsig.dnstest.hauke-lampe.de A +dnssec +cd +noall +comments +answer
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63408
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; ANSWER SECTION:
badsig.dnstest.hauke-lampe.de. 198 IN A 85.10.240.253
badsig.dnstest.hauke-lampe.de. 198 IN RRSIG A 5 4 300 20100409031244 20100310031244 46791 badsig.dnstest.hauke-lampe.de. HDJtmGW02QHyKB1H23A+wKIHrLY0qsK74a+j8E5z809BfIY3L9HnSp0e SJfblQbn5ty8t3yZg31gBPc5n3y3cg==
[krill:~]%
> Still no alternative to a local validating resolver but a big step in the right direction, I think.
I think so, too.
Joe
More information about the dns-operations
mailing list