Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org

Thu, 17 Jan 2013 15:44:08 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 01/08/2013 12:39 AM, Benjamin Lee wrote:
> On 01/07/2013 06:34 AM, Maxim Kammerer wrote:
>> browser plugins? Also, how widespread is client DNSSEC support?
>> E.g., I enabled DNSSEC for my domain, but not sure yet whether
>> DNS resolution anywhere will fail in case DNS responses are
>> spoofed.
> 
> Comcast runs dnssec-failed.org, which is convenient for testing out
> some DNSSEC validation failure cases.  Using a validating resolver,
> my client sees SERVFAIL:
> 
> $ host dnssec-failed.org. Host dnssec-failed.org not found:
> 2(SERVFAIL)

The AD flag is missing on the answer (see bottom).
Programs don't really use that lack of coping with that information.

Openssh works,
Firefox has an plugin http://www.dnssec-validator.cz/

I don't think SERVFAIL or NXDOMAIN is the right way to communicate an
validation order.

Michael

p.s. there's dnssec-system-tray to have an eye on the unbound log. I
can provide you with a setup description iff you like.

michael@x ~ % dig dnssec-failed.org

; <<>> DiG 9.9.2 <<>> dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62274
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; AUTHORITY SECTION:
dnssec-failed.org.      7200    IN      SOA     dns101.comcast.org.
dnsadmin.comcast.net. 2010101559 900 180 604800 7200

;; Query time: 1852 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Jan 18 00:38:07 2013
;; MSG SIZE  rcvd: 117

michael@x ~ % dig xmw.de

; <<>> DiG 9.9.2 <<>> xmw.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30196
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xmw.de.                                IN      A

;; ANSWER SECTION:
xmw.de.                 42      IN      A       176.9.87.236

;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Jan 18 00:39:53 2013
;; MSG SIZE  rcvd: 51


- -- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <x...@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlD4jLMACgkQknrdDGLu8JAAEAD8CYwlaeOcfZGIqwDurx4Bnhf8
H9+T1yirfVh/V9njmQUA/jCXhbi0MuLcQJeopyGT/xwR1EUlS1llH4pF8uAh29F8
=Mr9O
-----END PGP SIGNATURE-----

Reply via email to