[dns-operations] dnssec-failed.org and dns.google

Warren Kumari warren at kumari.net
Wed Aug 14 14:06:27 UTC 2019


[ Top-post ]

Hi,

Thanks for letting us know. Google Public DNS is aware of the issue --
it's a bug related to a new feature / validation, and is being
addressed now...

W

On Wed, Aug 14, 2019 at 9:26 AM Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> On Wed, Aug 14, 2019 at 08:27:54AM +0200, A. Schulze wrote:
>
> > ; <<>> DiG 9.10.3-P4-Debian <<>> @8.8.8.8 dnssec-failed.org. +aaonly
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54820
> > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags:; udp: 512
> > ;; QUESTION SECTION:
> > ;dnssec-failed.org.             IN      A
> >
> > ;; ANSWER SECTION:
> > dnssec-failed.org.      7199    IN      A       69.252.80.75
>
> I also see answers coming back, with the AD-bit set, from 8.8.{8.8,4.4},
> but not 1.0.0.1, 1.1.1.1, 64.6.64.6 or 64.6.65.6.
>
> If validation were disabled, I'd at least expect the AD bit to be
> off.  Not clear what the reason might be.
>
> --
>         Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf



More information about the dns-operations mailing list