1 |
On 01/07/2013 06:34 AM, Maxim Kammerer wrote: |
2 |
> browser plugins? Also, how widespread is client DNSSEC support? E.g., |
3 |
> I enabled DNSSEC for my domain, but not sure yet whether DNS |
4 |
> resolution anywhere will fail in case DNS responses are spoofed. |
5 |
|
6 |
Comcast runs dnssec-failed.org, which is convenient for testing out some |
7 |
DNSSEC validation failure cases. Using a validating resolver, my client |
8 |
sees SERVFAIL: |
9 |
|
10 |
$ host dnssec-failed.org. |
11 |
Host dnssec-failed.org not found: 2(SERVFAIL) |
12 |
|
13 |
and here are some example logs from the resolver (running BIND): |
14 |
|
15 |
named[80369]: validating @0x804ee5500: dnssec-failed.org DNSKEY: no valid signature found (DS) |
16 |
named[80369]: error (no valid RRSIG) resolving 'dnssec-failed.org/DNSKEY/IN': 68.87.76.228#53 |
17 |
|
18 |
|
19 |
-- |
20 |
Benjamin Lee |
21 |
http://www.b1c1l1.com/ |