| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 01/08/2013 12:39 AM, Benjamin Lee wrote: |
| 5 |
> On 01/07/2013 06:34 AM, Maxim Kammerer wrote: |
| 6 |
>> browser plugins? Also, how widespread is client DNSSEC support? |
| 7 |
>> E.g., I enabled DNSSEC for my domain, but not sure yet whether |
| 8 |
>> DNS resolution anywhere will fail in case DNS responses are |
| 9 |
>> spoofed. |
| 10 |
> |
| 11 |
> Comcast runs dnssec-failed.org, which is convenient for testing out |
| 12 |
> some DNSSEC validation failure cases. Using a validating resolver, |
| 13 |
> my client sees SERVFAIL: |
| 14 |
> |
| 15 |
> $ host dnssec-failed.org. Host dnssec-failed.org not found: |
| 16 |
> 2(SERVFAIL) |
| 17 |
|
| 18 |
The AD flag is missing on the answer (see bottom). |
| 19 |
Programs don't really use that lack of coping with that information. |
| 20 |
|
| 21 |
Openssh works, |
| 22 |
Firefox has an plugin http://www.dnssec-validator.cz/ |
| 23 |
|
| 24 |
I don't think SERVFAIL or NXDOMAIN is the right way to communicate an |
| 25 |
validation order. |
| 26 |
|
| 27 |
Michael |
| 28 |
|
| 29 |
p.s. there's dnssec-system-tray to have an eye on the unbound log. I |
| 30 |
can provide you with a setup description iff you like. |
| 31 |
|
| 32 |
michael@x ~ % dig dnssec-failed.org |
| 33 |
|
| 34 |
; <<>> DiG 9.9.2 <<>> dnssec-failed.org |
| 35 |
;; global options: +cmd |
| 36 |
;; Got answer: |
| 37 |
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62274 |
| 38 |
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 |
| 39 |
|
| 40 |
;; OPT PSEUDOSECTION: |
| 41 |
; EDNS: version: 0, flags:; udp: 4096 |
| 42 |
;; QUESTION SECTION: |
| 43 |
;dnssec-failed.org. IN A |
| 44 |
|
| 45 |
;; AUTHORITY SECTION: |
| 46 |
dnssec-failed.org. 7200 IN SOA dns101.comcast.org. |
| 47 |
dnsadmin.comcast.net. 2010101559 900 180 604800 7200 |
| 48 |
|
| 49 |
;; Query time: 1852 msec |
| 50 |
;; SERVER: ::1#53(::1) |
| 51 |
;; WHEN: Fri Jan 18 00:38:07 2013 |
| 52 |
;; MSG SIZE rcvd: 117 |
| 53 |
|
| 54 |
michael@x ~ % dig xmw.de |
| 55 |
|
| 56 |
; <<>> DiG 9.9.2 <<>> xmw.de |
| 57 |
;; global options: +cmd |
| 58 |
;; Got answer: |
| 59 |
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30196 |
| 60 |
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 |
| 61 |
|
| 62 |
;; OPT PSEUDOSECTION: |
| 63 |
; EDNS: version: 0, flags:; udp: 4096 |
| 64 |
;; QUESTION SECTION: |
| 65 |
;xmw.de. IN A |
| 66 |
|
| 67 |
;; ANSWER SECTION: |
| 68 |
xmw.de. 42 IN A 176.9.87.236 |
| 69 |
|
| 70 |
;; Query time: 1 msec |
| 71 |
;; SERVER: ::1#53(::1) |
| 72 |
;; WHEN: Fri Jan 18 00:39:53 2013 |
| 73 |
;; MSG SIZE rcvd: 51 |
| 74 |
|
| 75 |
|
| 76 |
- -- |
| 77 |
Michael Weber |
| 78 |
Gentoo Developer |
| 79 |
web: https://xmw.de/ |
| 80 |
mailto: Michael Weber <xmw@g.o> |
| 81 |
-----BEGIN PGP SIGNATURE----- |
| 82 |
Version: GnuPG v2.0.19 (GNU/Linux) |
| 83 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
| 84 |
|
| 85 |
iF4EAREIAAYFAlD4jLMACgkQknrdDGLu8JAAEAD8CYwlaeOcfZGIqwDurx4Bnhf8 |
| 86 |
H9+T1yirfVh/V9njmQUA/jCXhbi0MuLcQJeopyGT/xwR1EUlS1llH4pF8uAh29F8 |
| 87 |
=Mr9O |
| 88 |
-----END PGP SIGNATURE----- |
Archives