Google's Public DNS does DNSSEC validation
This is interesting news; it seems that Google's Public DNS is performing DNSSEC validation (when the DO-bit is set): dig +dnssec +multi www.dnssec.nl @8.8.8.8 ; <<>> DiG 9.9.1-vjs163.18-P1 <<>> +dnssec +multi www.dnssec.nl @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51937 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.dnssec.nl. IN A ;; ANSWER SECTION: www.dnssec.nl. 21580 IN A 213.154.228.160 www.dnssec.nl. 21580 IN RRSIG A 8 3 86400 ( 20130227071505 20130128071505 33084 dnssec.nl. J9MzudQJHT7UEFZDxioAeOSARqvN87stHIiXLdl1f6ZB I3UGSqKIOlYpuaM7a6jk8k8oajUkGEHGOxa9ypJQHvlv mAE6noaI5sZh6R6lnkd48zGs/xPg4BNODG2zNb3I/lQ3 2ojQtcs9AIMDEtH5+XISuwvPre5hhYkneM6mtUc= ) ;; Query time: 28 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jan 29 08:03:53 2013 ;; MSG SIZE rcvd: 227 -- Marco Davids
I guess its only a matter of time before they start validating all requests. And more importantly returning SERVFAIL for invalid hosts. Mansoor On Tue, Jan 29, 2013 at 2:04 AM, Marco Davids <mdavids@forfun.net> wrote:
This is interesting news; it seems that Google's Public DNS is performing DNSSEC validation (when the DO-bit is set):
dig +dnssec +multi www.dnssec.nl @8.8.8.8
; <<>> DiG 9.9.1-vjs163.18-P1 <<>> +dnssec +multi www.dnssec.nl @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51937 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.dnssec.nl. IN A
;; ANSWER SECTION: www.dnssec.nl. 21580 IN A 213.154.228.160 www.dnssec.nl. 21580 IN RRSIG A 8 3 86400 ( 20130227071505 20130128071505 33084 dnssec.nl. J9MzudQJHT7UEFZDxioAeOSARqvN87stHIiXLdl1f6ZB I3UGSqKIOlYpuaM7a6jk8k8oajUkGEHGOxa9ypJQHvlv mAE6noaI5sZh6R6lnkd48zGs/xPg4BNODG2zNb3I/lQ3 2ojQtcs9AIMDEtH5+XISuwvPre5hhYkneM6mtUc= )
;; Query time: 28 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jan 29 08:03:53 2013 ;; MSG SIZE rcvd: 227
-- Marco Davids
This is very positive - I hope more recursive resolvers start to adopt DNSSEC as well. Jason On 1/29/13 3:05 AM, "Mansoor Nathani" <mnathani@winvive.com> wrote:
I guess its only a matter of time before they start validating all requests. And more importantly returning SERVFAIL for invalid hosts.
Mansoor
On Tue, Jan 29, 2013 at 2:04 AM, Marco Davids <mdavids@forfun.net> wrote:
This is interesting news; it seems that Google's Public DNS is performing DNSSEC validation (when the DO-bit is set):
dig +dnssec +multi www.dnssec.nl @8.8.8.8
; <<>> DiG 9.9.1-vjs163.18-P1 <<>> +dnssec +multi www.dnssec.nl @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51937 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.dnssec.nl. IN A
;; ANSWER SECTION: www.dnssec.nl. 21580 IN A 213.154.228.160 www.dnssec.nl. 21580 IN RRSIG A 8 3 86400 ( 20130227071505 20130128071505 33084 dnssec.nl. J9MzudQJHT7UEFZDxioAeOSARqvN87stHIiXLdl1f6ZB I3UGSqKIOlYpuaM7a6jk8k8oajUkGEHGOxa9ypJQHvlv mAE6noaI5sZh6R6lnkd48zGs/xPg4BNODG2zNb3I/lQ3 2ojQtcs9AIMDEtH5+XISuwvPre5hhYkneM6mtUc= )
;; Query time: 28 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jan 29 08:03:53 2013 ;; MSG SIZE rcvd: 227
-- Marco Davids
In the potentially interestingly and perhaps not so positive - one of the common EDNS tests via Google pub DNS fails. https://www.dns-oarc.net/oarc/services/replysizetest ;; ANSWER SECTION: rs.dns-oarc.net. 58 IN CNAME rst.x479.rs.dns-oarc.net. rst.x479.rs.dns-oarc.net. 57 IN CNAME rst.x488.x479.rs.dns-oarc.net. rst.x488.x479.rs.dns-oarc.net. 56 IN CNAME rst.x493.x488.x479.rs.dns-oarc.net. rst.x493.x488.x479.rs.dns-oarc.net. 55 IN TXT "2404:6800:4005:c00::156 DNS reply size limit is at least 493" rst.x493.x488.x479.rs.dns-oarc.net. 55 IN TXT "2404:6800:4005:c00::156 lacks EDNS, defaults to 512" rst.x493.x488.x479.rs.dns-oarc.net. 55 IN TXT "Tested at 2013-01-30 14:29:05 UTC" On Thu, Jan 31, 2013 at 12:55 AM, Livingood, Jason < Jason_Livingood@cable.comcast.com> wrote:
This is very positive - I hope more recursive resolvers start to adopt DNSSEC as well.
Jason
On 1/29/13 3:05 AM, "Mansoor Nathani" <mnathani@winvive.com> wrote:
I guess its only a matter of time before they start validating all requests. And more importantly returning SERVFAIL for invalid hosts.
Mansoor
On Tue, Jan 29, 2013 at 2:04 AM, Marco Davids <mdavids@forfun.net> wrote:
This is interesting news; it seems that Google's Public DNS is performing DNSSEC validation (when the DO-bit is set):
dig +dnssec +multi www.dnssec.nl @8.8.8.8
; <<>> DiG 9.9.1-vjs163.18-P1 <<>> +dnssec +multi www.dnssec.nl @ 8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51937 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.dnssec.nl. IN A
;; ANSWER SECTION: www.dnssec.nl. 21580 IN A 213.154.228.160 www.dnssec.nl. 21580 IN RRSIG A 8 3 86400 ( 20130227071505 20130128071505 33084 dnssec.nl. J9MzudQJHT7UEFZDxioAeOSARqvN87stHIiXLdl1f6ZB I3UGSqKIOlYpuaM7a6jk8k8oajUkGEHGOxa9ypJQHvlv mAE6noaI5sZh6R6lnkd48zGs/xPg4BNODG2zNb3I/lQ3 2ojQtcs9AIMDEtH5+XISuwvPre5hhYkneM6mtUc= )
;; Query time: 28 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jan 29 08:03:53 2013 ;; MSG SIZE rcvd: 227
-- Marco Davids
Mick O'Rourke <mkorourke+nanog@gmail.com> wrote:
In the potentially interestingly and perhaps not so positive - one of the common EDNS tests via Google pub DNS fails.
Google Public DNS's upstream behaviour is different depending on whether its client demonstrate knowledge of DNSSEC: Large EDNS buffer size with client DNSSEC: $ dig +dnssec +short rs.dns-oarc.net. txt @8.8.8.8 rst.x1185.rs.dns-oarc.net. rst.x1187.x1185.rs.dns-oarc.net. rst.x1193.x1187.x1185.rs.dns-oarc.net. "74.125.18.151 DNS reply size limit is at least 1193" "74.125.18.151 sent EDNS buffer size 1232" "Tested at 2013-01-30 14:51:49 UTC" No EDNS without client DNSSEC: $ dig +short rs.dns-oarc.net. txt @8.8.8.8 rst.x476.rs.dns-oarc.net. rst.x485.x476.rs.dns-oarc.net. rst.x490.x485.x476.rs.dns-oarc.net. "74.125.17.217 DNS reply size limit is at least 490" "74.125.17.217 lacks EDNS, defaults to 512" "Tested at 2013-01-30 14:52:51 UTC" DNSSEC validation for DNSSEC clients: $ dig +dnssec +noall +comments no-dnssec.dotat.at @8.8.8.8 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54190 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 Insecure DNS for other clients even if you set the AD flag to ask for it: $ dig +adflag +noall +comments no-dnssec.dotat.at soa @8.8.8.8 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54593 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
participants (5)
-
Livingood, Jason
-
Mansoor Nathani
-
Marco Davids
-
Mick O'Rourke
-
Tony Finch