1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 01/08/2013 12:39 AM, Benjamin Lee wrote: |
5 |
> On 01/07/2013 06:34 AM, Maxim Kammerer wrote: |
6 |
>> browser plugins? Also, how widespread is client DNSSEC support? |
7 |
>> E.g., I enabled DNSSEC for my domain, but not sure yet whether |
8 |
>> DNS resolution anywhere will fail in case DNS responses are |
9 |
>> spoofed. |
10 |
> |
11 |
> Comcast runs dnssec-failed.org, which is convenient for testing out |
12 |
> some DNSSEC validation failure cases. Using a validating resolver, |
13 |
> my client sees SERVFAIL: |
14 |
> |
15 |
> $ host dnssec-failed.org. Host dnssec-failed.org not found: |
16 |
> 2(SERVFAIL) |
17 |
|
18 |
The AD flag is missing on the answer (see bottom). |
19 |
Programs don't really use that lack of coping with that information. |
20 |
|
21 |
Openssh works, |
22 |
Firefox has an plugin http://www.dnssec-validator.cz/ |
23 |
|
24 |
I don't think SERVFAIL or NXDOMAIN is the right way to communicate an |
25 |
validation order. |
26 |
|
27 |
Michael |
28 |
|
29 |
p.s. there's dnssec-system-tray to have an eye on the unbound log. I |
30 |
can provide you with a setup description iff you like. |
31 |
|
32 |
michael@x ~ % dig dnssec-failed.org |
33 |
|
34 |
; <<>> DiG 9.9.2 <<>> dnssec-failed.org |
35 |
;; global options: +cmd |
36 |
;; Got answer: |
37 |
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62274 |
38 |
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 |
39 |
|
40 |
;; OPT PSEUDOSECTION: |
41 |
; EDNS: version: 0, flags:; udp: 4096 |
42 |
;; QUESTION SECTION: |
43 |
;dnssec-failed.org. IN A |
44 |
|
45 |
;; AUTHORITY SECTION: |
46 |
dnssec-failed.org. 7200 IN SOA dns101.comcast.org. |
47 |
dnsadmin.comcast.net. 2010101559 900 180 604800 7200 |
48 |
|
49 |
;; Query time: 1852 msec |
50 |
;; SERVER: ::1#53(::1) |
51 |
;; WHEN: Fri Jan 18 00:38:07 2013 |
52 |
;; MSG SIZE rcvd: 117 |
53 |
|
54 |
michael@x ~ % dig xmw.de |
55 |
|
56 |
; <<>> DiG 9.9.2 <<>> xmw.de |
57 |
;; global options: +cmd |
58 |
;; Got answer: |
59 |
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30196 |
60 |
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 |
61 |
|
62 |
;; OPT PSEUDOSECTION: |
63 |
; EDNS: version: 0, flags:; udp: 4096 |
64 |
;; QUESTION SECTION: |
65 |
;xmw.de. IN A |
66 |
|
67 |
;; ANSWER SECTION: |
68 |
xmw.de. 42 IN A 176.9.87.236 |
69 |
|
70 |
;; Query time: 1 msec |
71 |
;; SERVER: ::1#53(::1) |
72 |
;; WHEN: Fri Jan 18 00:39:53 2013 |
73 |
;; MSG SIZE rcvd: 51 |
74 |
|
75 |
|
76 |
- -- |
77 |
Michael Weber |
78 |
Gentoo Developer |
79 |
web: https://xmw.de/ |
80 |
mailto: Michael Weber <xmw@g.o> |
81 |
-----BEGIN PGP SIGNATURE----- |
82 |
Version: GnuPG v2.0.19 (GNU/Linux) |
83 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
84 |
|
85 |
iF4EAREIAAYFAlD4jLMACgkQknrdDGLu8JAAEAD8CYwlaeOcfZGIqwDurx4Bnhf8 |
86 |
H9+T1yirfVh/V9njmQUA/jCXhbi0MuLcQJeopyGT/xwR1EUlS1llH4pF8uAh29F8 |
87 |
=Mr9O |
88 |
-----END PGP SIGNATURE----- |