[160014] in North American Network Operators' Group
Re: Google's Public DNS does DNSSEC validation
daemon@ATHENA.MIT.EDU (Tony Finch)
Wed Jan 30 09:59:43 2013
Date: Wed, 30 Jan 2013 14:59:23 +0000
From: Tony Finch <dot@dotat.at>
To: Mick O'Rourke <mkorourke+nanog@gmail.com>
In-Reply-To: <CAM7FjJfN=J9nCeV4mbSHV+XK1UvU+zAScHnDrZ0AJCSO1BS+RQ@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Mick O'Rourke <mkorourke+nanog@gmail.com> wrote:
> In the potentially interestingly and perhaps not so positive - one of the
> common EDNS tests via Google pub DNS fails.
Google Public DNS's upstream behaviour is different depending on
whether its client demonstrate knowledge of DNSSEC:
Large EDNS buffer size with client DNSSEC:
$ dig +dnssec +short rs.dns-oarc.net. txt @8.8.8.8
rst.x1185.rs.dns-oarc.net.
rst.x1187.x1185.rs.dns-oarc.net.
rst.x1193.x1187.x1185.rs.dns-oarc.net.
"74.125.18.151 DNS reply size limit is at least 1193"
"74.125.18.151 sent EDNS buffer size 1232"
"Tested at 2013-01-30 14:51:49 UTC"
No EDNS without client DNSSEC:
$ dig +short rs.dns-oarc.net. txt @8.8.8.8
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"74.125.17.217 DNS reply size limit is at least 490"
"74.125.17.217 lacks EDNS, defaults to 512"
"Tested at 2013-01-30 14:52:51 UTC"
DNSSEC validation for DNSSEC clients:
$ dig +dnssec +noall +comments no-dnssec.dotat.at @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54190
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
Insecure DNS for other clients even if you set the AD flag to ask for it:
$ dig +adflag +noall +comments no-dnssec.dotat.at soa @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54593
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
