[dns-operations] Strange behavior of google public resolver

Ondřej Surý ondrej at sury.org
Thu Apr 18 11:01:26 UTC 2019

> On 18 Apr 2019, at 12:15, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Thu, Apr 18, 2019 at 11:07:14AM +0100,
> Jim Reid <jim at rfc1035.com> wrote 
> a message of 8 lines which said:
>>> Of course, it would be better to move away from DSA, but it shouldn't
>>> make a SERVFAIL, just a lack of validation
>> ? If DSA signatures can't be validated, SERVFAIL is the correct response.
> No. They can be validated (my Unbound can do it). At worse, the
> algorithm can be unknown for the resolver, and then ignored (reply
> without AD, the most common for this domain).

That doesn’t mean all Google Public DNS can validate DSA.  But it should
return insecure instead of bogus anyway, so no, SERVFAIL is not a correct

Ondřej Surý
ondrej at sury.org

More information about the dns-operations mailing list