Google's Public DNS does DNSSEC validation
Tony Finch
dot at dotat.at
Wed Jan 30 14:59:23 UTC 2013
Mick O'Rourke <mkorourke+nanog at gmail.com> wrote:
> In the potentially interestingly and perhaps not so positive - one of the
> common EDNS tests via Google pub DNS fails.
Google Public DNS's upstream behaviour is different depending on
whether its client demonstrate knowledge of DNSSEC:
Large EDNS buffer size with client DNSSEC:
$ dig +dnssec +short rs.dns-oarc.net. txt @8.8.8.8
rst.x1185.rs.dns-oarc.net.
rst.x1187.x1185.rs.dns-oarc.net.
rst.x1193.x1187.x1185.rs.dns-oarc.net.
"74.125.18.151 DNS reply size limit is at least 1193"
"74.125.18.151 sent EDNS buffer size 1232"
"Tested at 2013-01-30 14:51:49 UTC"
No EDNS without client DNSSEC:
$ dig +short rs.dns-oarc.net. txt @8.8.8.8
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"74.125.17.217 DNS reply size limit is at least 490"
"74.125.17.217 lacks EDNS, defaults to 512"
"Tested at 2013-01-30 14:52:51 UTC"
DNSSEC validation for DNSSEC clients:
$ dig +dnssec +noall +comments no-dnssec.dotat.at @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54190
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
Insecure DNS for other clients even if you set the AD flag to ask for it:
$ dig +adflag +noall +comments no-dnssec.dotat.at soa @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54593
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
More information about the NANOG
mailing list