Mick O'Rourke <mkorourke+nanog@gmail.com> wrote:
In the potentially interestingly and perhaps not so positive - one of the common EDNS tests via Google pub DNS fails.
Google Public DNS's upstream behaviour is different depending on whether its client demonstrate knowledge of DNSSEC: Large EDNS buffer size with client DNSSEC: $ dig +dnssec +short rs.dns-oarc.net. txt @8.8.8.8 rst.x1185.rs.dns-oarc.net. rst.x1187.x1185.rs.dns-oarc.net. rst.x1193.x1187.x1185.rs.dns-oarc.net. "74.125.18.151 DNS reply size limit is at least 1193" "74.125.18.151 sent EDNS buffer size 1232" "Tested at 2013-01-30 14:51:49 UTC" No EDNS without client DNSSEC: $ dig +short rs.dns-oarc.net. txt @8.8.8.8 rst.x476.rs.dns-oarc.net. rst.x485.x476.rs.dns-oarc.net. rst.x490.x485.x476.rs.dns-oarc.net. "74.125.17.217 DNS reply size limit is at least 490" "74.125.17.217 lacks EDNS, defaults to 512" "Tested at 2013-01-30 14:52:51 UTC" DNSSEC validation for DNSSEC clients: $ dig +dnssec +noall +comments no-dnssec.dotat.at @8.8.8.8 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54190 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 Insecure DNS for other clients even if you set the AD flag to ask for it: $ dig +adflag +noall +comments no-dnssec.dotat.at soa @8.8.8.8 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54593 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.