[dns-operations] Google DNS ignores DNSSEC validation failure
Arsen STASIC
arsen.stasic at univie.ac.at
Fri Sep 30 08:49:16 UTC 2016
Hi Daniel,
* Daniel Stirnimann <daniel.stirnimann at switch.ch> [2016-09-29 14:49 (+0200)]:
[...]
> Anyone knows more? Are there more exceptions where DNSSEC validation
> failures are ignored on Google DNS?
If I query for SOA with +norec I'm getting SERVFAIL from Google Public DNS:
(and with recursion NOERROR)
dig soa insecuretest.switch.ch +dnssec +norec @8.8.8.8
; <<>> DiG 9.10.3-P4 <<>> soa insecuretest.switch.ch +dnssec +norec @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39007
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;insecuretest.switch.ch. IN SOA
;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 30 10:40:46 CEST 2016
;; MSG SIZE rcvd: 51
dig soa insecuretest.switch.ch +dnssec @8.8.8.8
; <<>> DiG 9.10.3-P4 <<>> soa insecuretest.switch.ch +dnssec @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56354
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;insecuretest.switch.ch. IN SOA
;; ANSWER SECTION:
insecuretest.switch.ch. 21536 IN SOA scsnms.switch.ch.
dns-operation.switch.ch. 2016092902 28800 7200 604800 1800
;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 30 10:44:18 CEST 2016
;; MSG SIZE rcvd: 108
Cheers,
-arsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160930/d9b3aadd/attachment.sig>
More information about the dns-operations
mailing list