[dns-operations] dnssec-failed.org and dns.google
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Aug 14 13:18:36 UTC 2019
On Wed, Aug 14, 2019 at 08:27:54AM +0200, A. Schulze wrote:
> ; <<>> DiG 9.10.3-P4-Debian <<>> @8.8.8.8 dnssec-failed.org. +aaonly
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54820
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;dnssec-failed.org. IN A
>
> ;; ANSWER SECTION:
> dnssec-failed.org. 7199 IN A 69.252.80.75
I also see answers coming back, with the AD-bit set, from 8.8.{8.8,4.4},
but not 1.0.0.1, 1.1.1.1, 64.6.64.6 or 64.6.65.6.
If validation were disabled, I'd at least expect the AD bit to be
off. Not clear what the reason might be.
--
Viktor.
More information about the dns-operations
mailing list