[dns-operations] Google DNS ignores DNSSEC validation failure
Maciej Andziński
Maciej.Andzinski at nask.pl
Thu Sep 29 13:53:08 UTC 2016
Hi Daniel,
When it comes to DNSSEC validation I noticed a peculiar behaviour of Google Public DNS servers. Among others, sometimes no SERVFAIL RCODE was returned in answer to a query for a domain name with bogus DNSSEC delegation. I described my observations in a paper which you can find here: http://www.dns.pl/dnssec/ecc_support_in_dns_resolvers.pdf (see section 2.3)
Maciek
----- 29 wrz 2016 o 14:49, Daniel Stirnimann daniel.stirnimann at switch.ch napisał(a):
> Hi all,
>
> I've added an unsigned zone insecuretest.switch.ch but did not add the
> delegation in the parent zone. Thus, on validating resolvers a lookup
> returns SERVFAIL.
>
> To my surprise Google DNS (8.8.8.8) does return an answer. Is this on
> purpose or by mistake? According their docs, it looks more like a
> mistake:
> https://developers.google.com/speed/public-dns/faq#gdns_validation_failure
>
> dig @8.8.8.8 insecuretest.switch.ch +dnssec
>
> ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 insecuretest.switch.ch +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16456
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;insecuretest.switch.ch. IN A
>
> ;; AUTHORITY SECTION:
> insecuretest.switch.ch. 1799 IN SOA scsnms.switch.ch.
> dns-operation.switch.ch. 2016092902 28800 7200 604800 1800
>
> ;; Query time: 47 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Thu Sep 29 14:47:34 2016
> ;; MSG SIZE rcvd: 108
>
> Anyone knows more? Are there more exceptions where DNSSEC validation
> failures are ignored on Google DNS?
>
> Daniel
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list