Not sure about that. I get the AD bit back but oddly enough, the Swedish deliberately broken site trasigdnssec.se does not servfail on the 8.8.8.8/8.8.4.4 but it does on the google dns v6 address:
stephan@pi:~$ dig @8.8.8.8 trasigdnssec.se +dnssec ; <<>> DiG 9.6-ESV-R1 <<>> @8.8.8.8 trasigdnssec.se +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58525 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;trasigdnssec.se. IN A ;; ANSWER SECTION: trasigdnssec.se. 167 IN A 212.247.206.40 ;; Query time: 10 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Jan 28 18:10:31 2013 ;; MSG SIZE rcvd: 60 stephan@pi:~$ dig @2001:4860:4860::8888 trasigdnssec.se +dnssec ; <<>> DiG 9.6-ESV-R1 <<>> @2001:4860:4860::8888 trasigdnssec.se +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45259 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;trasigdnssec.se. IN A ;; Query time: 68 msec ;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888) ;; WHEN: Mon Jan 28 18:10:40 2013 ;; MSG SIZE rcvd: 44 > -----Original Message----- > From: [email protected] [mailto:dns-operations- > [email protected]] On Behalf Of Frederico A C Neves > Sent: Monday, January 28, 2013 11:06 AM > To: Joe Abley > Cc: [email protected] List > Subject: Re: [dns-operations] google DNS doing validation? > > Hi Joe, > > Yes it has all the signs that it's actually doing real validation. This > is from a São Paulo node. Follows valid, failed signed records and a > traceroute. > > Fred > > ~$ dig @8.8.8.8 registro.br a +dnssec +m > > ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 registro.br a +dnssec +m ; (1 server > found) ;; global options: +cmd ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54463 ;; flags: qr > rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: > ; 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 512 > ;; QUESTION SECTION: > ;registro.br. IN A > > ;; ANSWER SECTION: > registro.br. 5912 IN A 200.160.2.3 > registro.br. 5912 IN RRSIG A 5 2 172800 20130319113229 ( > 20130108113229 54964 registro.br. > M600GFMEi0vlGdW0mt9ZuT4zD8fV+vSTAVBkEW3gDaJo > zhImRxIT0mSy8XzNLwWyqLqqS0db6muQkTxjOWpnWlH8 > hcMsaJp/4zCu8/+43Sfp5VCZMw01mhwCN3Z9tF6is+aU > sDUTnlRfu2BQjrFzqHzPvsm5jNLYQSGFx+3tpJ6DX11M > lkME+YBCmCYeUmL8 ) > > ;; Query time: 2 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Mon Jan 28 14:38:13 2013 > ;; MSG SIZE rcvd: 243 > > ~$ dig @8.8.8.8 signfail.ceptro.br a +dnssec +m > > ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 signfail.ceptro.br a +dnssec +m ; (1 > server found) ;; global options: +cmd ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12149 ;; flags: qr > rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 512 > ;; QUESTION SECTION: > ;signfail.ceptro.br. IN A > > ;; Query time: 19 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Mon Jan 28 14:57:27 2013 > ;; MSG SIZE rcvd: 47 > > ~$ traceroute -q 1 8.8.8.8 > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets > 1 xe-1-0-1.2.ar1.in.REGISTRO.BR (200.160.3.65) 0.376 ms > 2 ae0-0.core1.nu.registro.br (200.160.0.253) 0.594 ms > 3 xe-0-0-0-0.gw2.nu.registro.br (200.160.0.171) 0.717 ms > 4 as15169.sp.ptt.br (187.16.216.55) 1.059 ms > 5 209.85.243.200 (209.85.243.200) 1.887 ms > 6 72.14.233.91 (72.14.233.91) 1.488 ms > 7 64.233.175.18 (64.233.175.18) 3.067 ms > 8 google-public-dns-a.google.com (8.8.8.8) 1.708 ms > > On Mon, Jan 28, 2013 at 11:35:18AM -0500, Joe Abley wrote: > > Hi all, > > > > I haven't seen anybody else mention this out loud, but since early > last week (doing a DNSSEC workshop with NSRC at NZNOG 2013) we saw > 8.8.8.8 giving secure answers when queried with EDNS0/DO=1. > > > > The responding node of 8.8.8.8 we saw in Wellington was in Sydney, I > think (routing out through REANZ) but I see the same thing from my desk > at home so perhaps this is a widespread change. > > > > 8.8.8.8 doesn't seem to support NSID, ID.SERVER/CH/TXT or > HOSTNAME.BIND/CH/TXT but I included a traceroute in case anybody is > interested. > > > > The FAQ still says that responses are not validated, but perhaps > there > > is a documentation gap. > > <https://developers.google.com/speed/public-dns/faq#dnssec> > > > > > > Joe > > > > [krill:~]% dig @8.8.8.8 hopcount.ca MX +dnssec > > > > ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 hopcount.ca MX +dnssec ; (1 server > > found) ;; global options: +cmd ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21782 ;; flags: > qr > > rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: > > ;hopcount.ca. IN MX > > > > ;; ANSWER SECTION: > > hopcount.ca. 21451 IN MX 10 mail.hopcount.ca. > > hopcount.ca. 21451 IN RRSIG MX 5 2 86400 > > 20130218080658 > 20130119073027 37548 hopcount.ca. > nZCKjUeb/yw6WKJjnHAkuGUWQJ4z0bAZ5A4Q/TCeUXHTlLXW/a9Ax8Aj > Dw/CymTAWDisKW2yAhi2M9iU5xeQog1+gHmPL+laqsDsEPweYV21+o1W > Zbb5jHyZKxlMqkW0QYaly4aE7USC4RLqAW+zJkP78Jz0qe/yy1mjddW0 6Ec= > > > > ;; Query time: 102 msec > > ;; SERVER: 8.8.8.8#53(8.8.8.8) > > ;; WHEN: Mon Jan 28 11:32:45 2013 > > ;; MSG SIZE rcvd: 232 > > > > [krill:~]% > > [krill:~]% traceroute 8.8.8.8 > > traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets > > 1 office.r1.owls.hopcount.ca (199.212.90.1) 2.328 ms 1.608 ms > > 1.863 ms > > 2 216.235.0.30 (216.235.0.30) 55.019 ms 54.184 ms 55.669 ms > > 3 216.235.0.133 (216.235.0.133) 66.517 ms 62.202 ms 57.321 ms > > 4 gw-google.torontointernetxchange.net (206.108.34.6) 84.828 ms > > 53.842 ms 57.366 ms > > 5 209.85.255.232 (209.85.255.232) 53.916 ms > > 216.239.47.114 (216.239.47.114) 55.641 ms 56.410 ms > > 6 72.14.236.224 (72.14.236.224) 75.079 ms > > 72.14.236.226 (72.14.236.226) 75.515 ms 74.957 ms > > 7 209.85.249.11 (209.85.249.11) 81.529 ms > > 72.14.239.93 (72.14.239.93) 81.668 ms > > 209.85.249.11 (209.85.249.11) 79.977 ms > > 8 72.14.238.16 (72.14.238.16) 80.152 ms 80.997 ms > > 72.14.238.18 (72.14.238.18) 80.736 ms > > 9 72.14.232.21 (72.14.232.21) 79.942 ms 93.158 ms 93.146 ms > > 10 google-public-dns-a.google.com (8.8.8.8) 80.808 ms 80.641 ms > > 79.708 ms [krill:~]% > > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
