On 01/07/2013 06:34 AM, Maxim Kammerer wrote: > browser plugins? Also, how widespread is client DNSSEC support? E.g., > I enabled DNSSEC for my domain, but not sure yet whether DNS > resolution anywhere will fail in case DNS responses are spoofed.
Comcast runs dnssec-failed.org, which is convenient for testing out some DNSSEC validation failure cases. Using a validating resolver, my client sees SERVFAIL: $ host dnssec-failed.org. Host dnssec-failed.org not found: 2(SERVFAIL) and here are some example logs from the resolver (running BIND): named[80369]: validating @0x804ee5500: dnssec-failed.org DNSKEY: no valid signature found (DS) named[80369]: error (no valid RRSIG) resolving 'dnssec-failed.org/DNSKEY/IN': 68.87.76.228#53 -- Benjamin Lee http://www.b1c1l1.com/
signature.asc
Description: OpenPGP digital signature