[159914] in North American Network Operators' Group

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Google's Public DNS does DNSSEC validation

daemon@ATHENA.MIT.EDU (Mansoor Nathani)
Tue Jan 29 03:05:21 2013

In-Reply-To: <51077466.3020502@forfun.net>
Date: Tue, 29 Jan 2013 03:05:03 -0500
From: Mansoor Nathani <mnathani@winvive.com>
To: Marco Davids <mdavids@forfun.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

I guess its only a matter of time before they start validating all
requests. And more importantly returning SERVFAIL for invalid hosts.

Mansoor

On Tue, Jan 29, 2013 at 2:04 AM, Marco Davids <mdavids@forfun.net> wrote:

> This is interesting news; it seems that Google's Public DNS is
> performing DNSSEC validation (when the DO-bit is set):
>
> dig +dnssec +multi www.dnssec.nl @8.8.8.8
>
> ; <<>> DiG 9.9.1-vjs163.18-P1 <<>> +dnssec +multi www.dnssec.nl @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51937
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;www.dnssec.nl.        IN A
>
> ;; ANSWER SECTION:
> www.dnssec.nl.        21580 IN A 213.154.228.160
> www.dnssec.nl.        21580 IN RRSIG A 8 3 86400 (
>                 20130227071505 20130128071505 33084 dnssec.nl.
>                 J9MzudQJHT7UEFZDxioAeOSARqvN87stHIiXLdl1f6ZB
>                 I3UGSqKIOlYpuaM7a6jk8k8oajUkGEHGOxa9ypJQHvlv
>                 mAE6noaI5sZh6R6lnkd48zGs/xPg4BNODG2zNb3I/lQ3
>                 2ojQtcs9AIMDEtH5+XISuwvPre5hhYkneM6mtUc= )
>
> ;; Query time: 28 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Tue Jan 29 08:03:53 2013
> ;; MSG SIZE  rcvd: 227
>
> --
> Marco Davids
>
>
>

home	help	back	first	fref	pref	prev	next	nref	lref	last	post