[dns-esp] Google Open Resolvers activan DNSSEC por default?
Arturo Servin
aservin en lacnic.net
Jue Mayo 2 19:16:12 CLT 2013
Excelente, un paso más para DNSSEC.
Slds
as
On 5/2/13 5:31 PM, Cristian Rojas R. wrote:
> Efectivamente, el 30/4 llegó un correo de Warren Kumari a la lista de
> dnssec-deployment, hablando en nombre de Google indicando lo siguiente:
>
>> And a quick update:
>>
>> We have recently enabled validation by default globally, and you
>> should now get SERVFAIL for validation failures.
>> Apologies again for the original, unclear announcement.
>>
>> The blog / documentation has not been updated yet (that will probably
>> happen in the next few days) but we wanted to give you the good news
>> as soon as possible.
>>
>> W
>
>
>
> Eduardo Kaftanski wrote:
>>
>> Veo exactamente lo mismo aca....
>>
>>
>>
>> 2013/5/2 Arturo Servin <aservin en lacnic.net <mailto:aservin en lacnic.net>>
>>
>>
>> Estaba leyendo en nanog sobre esto. En Marzo Google activo
>> en sus
>> open-resolvers dnssec pero solo "opt-in" pero ahora parece que es por
>> default. Aquí mis pruebas y parece que si.
>>
>>
>> Este debe fallar y responder servfail porque es un dominio mal
>> firmado a
>> propósito.
>>
>> dig A @8.8.8.8 <http://8.8.8.8> www.dnssec-failed.org
>> <http://www.dnssec-failed.org>
>>
>> ; <<>> DiG 9.8.3-P1 <<>> A @8.8.8.8 <http://8.8.8.8>
>> www.dnssec-failed.org <http://www.dnssec-failed.org>
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62928
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.dnssec-failed.org <http://www.dnssec-failed.org>. IN
>> A
>>
>> ;; Query time: 226 msec
>> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>> ;; WHEN: Thu May 2 11:42:18 2013
>> ;; MSG SIZE rcvd: 39
>>
>> Con la bandera para que ignore la validacion dnssec, resuelve.
>>
>> dig A @8.8.8.8 <http://8.8.8.8> www.dnssec-failed.org
>> <http://www.dnssec-failed.org> +cd
>> ; <<>> DiG 9.8.3-P1 <<>> A @8.8.8.8 <http://8.8.8.8>
>> www.dnssec-failed.org <http://www.dnssec-failed.org> +cd
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27748
>> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0,
>> ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.dnssec-failed.org <http://www.dnssec-failed.org>. IN
>> A
>>
>> ;; ANSWER SECTION:
>> www.dnssec-failed.org <http://www.dnssec-failed.org>. 7200 IN
>> A 69.252.216.215
>> www.dnssec-failed.org <http://www.dnssec-failed.org>. 7200 IN
>> A 69.252.208.135
>>
>> ;; Query time: 191 msec
>> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>> ;; WHEN: Thu May 2 11:42:23 2013
>> ;; MSG SIZE rcvd: 71
>>
>> También probe poniendo como mi resolver a los servidores
>> de Google y la
>> pagina de www.dnssec-failed.org <http://www.dnssec-failed.org> me
>> retorna un error del browser que no
>> la puede alcanzar.
>>
>> Alguien con problemas o funcionando bien? Alguien con
>> información de
>> Google?
>>
>> Slds
>> as
>> _______________________________________________
>> dns-esp mailing list
>> dns-esp en listas.nic.cl <mailto:dns-esp en listas.nic.cl>
>> https://listas.nic.cl/mailman/listinfo/dns-esp
>>
>>
>>
>>
>> --
>> Eduardo Kaftanski
>> eduardo en kdi.cl <mailto:eduardo en kdi.cl>
>> ekaftan en gmail.com <mailto:ekaftan en gmail.com>
>>
>>
>> _______________________________________________
>> dns-esp mailing list
>> dns-esp en listas.nic.cl
>> https://listas.nic.cl/mailman/listinfo/dns-esp
>
>
> --
> Cristian A. Rojas R. <crrojas en nic.cl> NIC Chile
> Miraflores 222, Piso 14, Codigo Postal 832-0198, Santiago Chile
> Phone: (+562) 29407700 Fax: (+562) 29407701
>
>
>
> _______________________________________________
> dns-esp mailing list
> dns-esp en listas.nic.cl
> https://listas.nic.cl/mailman/listinfo/dns-esp
>
Más información sobre la lista de distribución dns-esp