Google's Public DNS does DNSSEC validation

Livingood, Jason Jason_Livingood at cable.comcast.com
Wed Jan 30 13:55:58 UTC 2013


This is very positive - I hope more recursive resolvers start to adopt
DNSSEC as well.

Jason



On 1/29/13 3:05 AM, "Mansoor Nathani" <mnathani at winvive.com> wrote:

>I guess its only a matter of time before they start validating all
>requests. And more importantly returning SERVFAIL for invalid hosts.
>
>Mansoor
>
>On Tue, Jan 29, 2013 at 2:04 AM, Marco Davids <mdavids at forfun.net> wrote:
>
>> This is interesting news; it seems that Google's Public DNS is
>> performing DNSSEC validation (when the DO-bit is set):
>>
>> dig +dnssec +multi www.dnssec.nl @8.8.8.8
>>
>> ; <<>> DiG 9.9.1-vjs163.18-P1 <<>> +dnssec +multi www.dnssec.nl @8.8.8.8
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51937
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 512
>> ;; QUESTION SECTION:
>> ;www.dnssec.nl.        IN A
>>
>> ;; ANSWER SECTION:
>> www.dnssec.nl.        21580 IN A 213.154.228.160
>> www.dnssec.nl.        21580 IN RRSIG A 8 3 86400 (
>>                 20130227071505 20130128071505 33084 dnssec.nl.
>>                 J9MzudQJHT7UEFZDxioAeOSARqvN87stHIiXLdl1f6ZB
>>                 I3UGSqKIOlYpuaM7a6jk8k8oajUkGEHGOxa9ypJQHvlv
>>                 mAE6noaI5sZh6R6lnkd48zGs/xPg4BNODG2zNb3I/lQ3
>>                 2ojQtcs9AIMDEtH5+XISuwvPre5hhYkneM6mtUc= )
>>
>> ;; Query time: 28 msec
>> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>> ;; WHEN: Tue Jan 29 08:03:53 2013
>> ;; MSG SIZE  rcvd: 227
>>
>> --
>> Marco Davids
>>
>>
>>




More information about the NANOG mailing list