[dns-operations] google DNS doing validation?
Hauke Lampe
lampe at hauke-lampe.de
Tue Jan 29 03:48:55 UTC 2013
On 29.01.2013 03:24, Mark Andrews wrote:
> In message <A592632C-842E-437B-A19E-01E0EEA31AC7 at ogud.com>, Olafur Gudmundsson
> writes:
>> Looks like they are doing DNSSEC correctly but still not supporting DNAME
> So by definition they are *not* supporting DNSSEC and DNAME support is
> manditory for DNSSEC.
Oh. That could be a problem. I hadn't noticed yet that DNAME resolution
fails for signed zones if DO=1:
Unbound and BIND get it right:
dig +dnssec _xmpp-server._tcp.jabber.openchaos.org srv @149.20.64.21
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49710
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 3, ADDITIONAL: 2
;; ANSWER SECTION:
jabber.openchaos.org. 179 IN DNAME jabber.i-pobox.net.
_xmpp-server._tcp.jabber.openchaos.org. 0 IN CNAME
_xmpp-server._tcp.jabber.i-pobox.net.
[...]
DO=1 queries to Google's DNS fail:
dig +dnssec _xmpp-server._tcp.jabber.openchaos.org srv @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1842
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Without DO, it works:
dig _xmpp-server._tcp.jabber.openchaos.org srv @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61361
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
_xmpp-server._tcp.jabber.openchaos.org. 0 IN CNAME
_xmpp-server._tcp.jabber.i-pobox.net.
[...]
*grumble*
Hauke.
More information about the dns-operations
mailing list