dig -- only RRSIG present.

Mark Andrews marka at isc.org
Mon Feb 13 04:50:45 UTC 2012

In message <4F389087.50102 at gmail.com>, "dE ." writes:
> On 02/12/12 23:13, Miek Gieben wrote:
> > [ Quoting<de.techno at gmail.com>  at 23:10 on Feb 12 in "dig -- only RRSIG pr
> ..." ]
> >> I'm trying to see DNSSEC response of various sites; my DNS server is
> >> (google's public DNS service)
> > Google's public resolvers don't handle DNSSEC very well...
> >
> > grtz Miek
> >
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
> be from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> They claim that they do support -
> http://code.google.com/speed/public-dns/faq.html#dnssec
Does Google Public DNS support the DNSSEC protocol?
   Google Public DNS supports EDNS0 extensions, which means that
   we accept and forward DNSSEC-formatted messages; however, we do
   not yet validate responses. We will continue to work on improving
   Google Public DNS.

Which says nothing about the special handling required for DS.  You
also can't be a reliable DNSSEC aware recursive server without
validating the responses or without setting DO on upstream queries
when the client doesn't set DO.  If you don't validate you leave
yourself open to cache poisioning which will be detected by downstream
validators and they will have no way to recover.  If you don't set
DO on upstream queries you cache will be polluted by non DNSSEC

The DNSSEC aware recursive server needs a super set of the trust
anchors used by the clients.

All this has been pointed out on dnsext at ietf.org so hopefully Google
is paying attention there.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list