[dns-operations] Google DNS ignores DNSSEC validation failure
Daniel Stirnimann
daniel.stirnimann at switch.ch
Thu Sep 29 12:49:42 UTC 2016
Hi all,
I've added an unsigned zone insecuretest.switch.ch but did not add the
delegation in the parent zone. Thus, on validating resolvers a lookup
returns SERVFAIL.
To my surprise Google DNS (8.8.8.8) does return an answer. Is this on
purpose or by mistake? According their docs, it looks more like a
mistake:
https://developers.google.com/speed/public-dns/faq#gdns_validation_failure
dig @8.8.8.8 insecuretest.switch.ch +dnssec
; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 insecuretest.switch.ch +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16456
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;insecuretest.switch.ch. IN A
;; AUTHORITY SECTION:
insecuretest.switch.ch. 1799 IN SOA scsnms.switch.ch.
dns-operation.switch.ch. 2016092902 28800 7200 604800 1800
;; Query time: 47 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 29 14:47:34 2016
;; MSG SIZE rcvd: 108
Anyone knows more? Are there more exceptions where DNSSEC validation
failures are ignored on Google DNS?
Daniel
More information about the dns-operations
mailing list