Google's Public DNS does DNSSEC validation

Tony Finch dot at dotat.at
Wed Jan 30 14:59:23 UTC 2013


Mick O'Rourke <mkorourke+nanog at gmail.com> wrote:

> In the potentially interestingly and perhaps not so positive - one of the
> common EDNS tests via Google pub DNS fails.

Google Public DNS's upstream behaviour is different depending on
whether its client demonstrate knowledge of DNSSEC:

Large EDNS buffer size with client DNSSEC:

$ dig +dnssec +short rs.dns-oarc.net. txt @8.8.8.8
rst.x1185.rs.dns-oarc.net.
rst.x1187.x1185.rs.dns-oarc.net.
rst.x1193.x1187.x1185.rs.dns-oarc.net.
"74.125.18.151 DNS reply size limit is at least 1193"
"74.125.18.151 sent EDNS buffer size 1232"
"Tested at 2013-01-30 14:51:49 UTC"

No EDNS without client DNSSEC:

$ dig +short rs.dns-oarc.net. txt @8.8.8.8
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"74.125.17.217 DNS reply size limit is at least 490"
"74.125.17.217 lacks EDNS, defaults to 512"
"Tested at 2013-01-30 14:52:51 UTC"

DNSSEC validation for DNSSEC clients:

$ dig +dnssec +noall +comments no-dnssec.dotat.at @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54190
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512

Insecure DNS for other clients even if you set the AD flag to ask for it:

$ dig +adflag +noall +comments no-dnssec.dotat.at soa @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54593
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.



More information about the NANOG mailing list