[dns-operations] google DNS doing validation?

Tue Jan 29 02:05:24 UTC 2013

Looks like they are doing DNSSEC correctly but still not supporting DNAME 

java -jar fccgrade-0.9.9.jar -r 8.8.8.8
Server 8.8.8.8 Grade= D ==> RFC1034 (old) style resolver --> Empty Answer:shinkuro.net. A  AD sometimes missing    T1P/94 T2P/880 T3P/76 T4P/94 T5F/96 T6P/96 T7A/389 T8A/284 T9F/268 T10A/483 T11A/491 T12A/41 T13S/0
Failed tests:
 T6 DNAME Support := DNAME Not Supported RFC2672/RFC6672 --  NO DNAME seen in answer 
 T10 Signed DNAME := NO signed DNAME RFC4035 --  NO DNAME seen in answer 
 T14 Returns Bogus := Skipped

	Olafur

On Jan 28, 2013, at 12:32 PM, Joe Abley wrote:

> 
> On 2013-01-28, at 12:14, Hauke Lampe <lampe at hauke-lampe.de> wrote:
> 
>> It appears they're validating _only_ when queried with DO=1:
> 
> Yeah.
> 
>> dig badsig.dnstest.hauke-lampe.de @8.8.8.8 -> status: NOERROR
>> dig +dnssec badsig.dnstest.hauke-lampe.de @8.8.8.8 -> status: SERVFAIL
> 
> They do the right thing with CD=1, DO=1:
> 
> [krill:~]% dig @8.8.8.8 badsig.dnstest.hauke-lampe.de A +dnssec +cd +noall +comments +answer 
> 
> ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 badsig.dnstest.hauke-lampe.de A +dnssec +cd +noall +comments +answer
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63408
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; ANSWER SECTION:
> badsig.dnstest.hauke-lampe.de. 198 IN	A	85.10.240.253
> badsig.dnstest.hauke-lampe.de. 198 IN	RRSIG	A 5 4 300 20100409031244 20100310031244 46791 badsig.dnstest.hauke-lampe.de. HDJtmGW02QHyKB1H23A+wKIHrLY0qsK74a+j8E5z809BfIY3L9HnSp0e SJfblQbn5ty8t3yZg31gBPc5n3y3cg==
> 
> [krill:~]% 
> 
>> Still no alternative to a local validating resolver but a big step in the right direction, I think.
> 
> I think so, too.
> 
> 
> Joe
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs