Google's Public DNS does DNSSEC validation

Mick O'Rourke mkorourke+nanog at gmail.com
Wed Jan 30 14:33:05 UTC 2013


In the potentially interestingly and perhaps not so positive - one of the
common EDNS tests via Google pub DNS fails.

https://www.dns-oarc.net/oarc/services/replysizetest

;; ANSWER SECTION:
rs.dns-oarc.net. 58 IN CNAME rst.x479.rs.dns-oarc.net.
rst.x479.rs.dns-oarc.net. 57 IN CNAME rst.x488.x479.rs.dns-oarc.net.
rst.x488.x479.rs.dns-oarc.net. 56 IN CNAME
rst.x493.x488.x479.rs.dns-oarc.net.
rst.x493.x488.x479.rs.dns-oarc.net. 55 IN TXT "2404:6800:4005:c00::156 DNS
reply size limit is at least 493"
rst.x493.x488.x479.rs.dns-oarc.net. 55 IN TXT "2404:6800:4005:c00::156
lacks EDNS, defaults to 512"
rst.x493.x488.x479.rs.dns-oarc.net. 55 IN TXT "Tested at 2013-01-30
14:29:05 UTC"



On Thu, Jan 31, 2013 at 12:55 AM, Livingood, Jason <
Jason_Livingood at cable.comcast.com> wrote:

> This is very positive - I hope more recursive resolvers start to adopt
> DNSSEC as well.
>
> Jason
>
>
>
> On 1/29/13 3:05 AM, "Mansoor Nathani" <mnathani at winvive.com> wrote:
>
> >I guess its only a matter of time before they start validating all
> >requests. And more importantly returning SERVFAIL for invalid hosts.
> >
> >Mansoor
> >
> >On Tue, Jan 29, 2013 at 2:04 AM, Marco Davids <mdavids at forfun.net> wrote:
> >
> >> This is interesting news; it seems that Google's Public DNS is
> >> performing DNSSEC validation (when the DO-bit is set):
> >>
> >> dig +dnssec +multi www.dnssec.nl @8.8.8.8
> >>
> >> ; <<>> DiG 9.9.1-vjs163.18-P1 <<>> +dnssec +multi www.dnssec.nl @
> 8.8.8.8
> >> ;; global options: +cmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51937
> >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> >>
> >> ;; OPT PSEUDOSECTION:
> >> ; EDNS: version: 0, flags: do; udp: 512
> >> ;; QUESTION SECTION:
> >> ;www.dnssec.nl.        IN A
> >>
> >> ;; ANSWER SECTION:
> >> www.dnssec.nl.        21580 IN A 213.154.228.160
> >> www.dnssec.nl.        21580 IN RRSIG A 8 3 86400 (
> >>                 20130227071505 20130128071505 33084 dnssec.nl.
> >>                 J9MzudQJHT7UEFZDxioAeOSARqvN87stHIiXLdl1f6ZB
> >>                 I3UGSqKIOlYpuaM7a6jk8k8oajUkGEHGOxa9ypJQHvlv
> >>                 mAE6noaI5sZh6R6lnkd48zGs/xPg4BNODG2zNb3I/lQ3
> >>                 2ojQtcs9AIMDEtH5+XISuwvPre5hhYkneM6mtUc= )
> >>
> >> ;; Query time: 28 msec
> >> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> >> ;; WHEN: Tue Jan 29 08:03:53 2013
> >> ;; MSG SIZE  rcvd: 227
> >>
> >> --
> >> Marco Davids
> >>
> >>
> >>
>
>
>


More information about the NANOG mailing list