<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Efectivamente, el 30/4 llegó un correo
de Warren Kumari a la lista de dnssec-deployment, hablando en
nombre de Google indicando lo siguiente:<br>
<br>
<blockquote type="cite">And a quick update:<br>
<br>
We have recently enabled validation by default globally, and you
should now get SERVFAIL for validation failures. <br>
Apologies again for the original, unclear announcement.<br>
<br>
The blog / documentation has not been updated yet (that will
probably happen in the next few days) but we wanted to give you
the good news as soon as possible.<br>
<br>
W</blockquote>
<br>
<br>
<br>
Eduardo Kaftanski wrote:<br>
</div>
<blockquote
cite="mid:CAEPz6RYa+AVQMJ-G3-vmNL_6k4F88708SHhm1B-+CbixuGi22g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
Veo exactamente lo mismo aca....
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/5/2 Arturo Servin <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:aservin@lacnic.net"
target="_blank">aservin@lacnic.net</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Estaba leyendo en nanog sobre esto. En Marzo Google
activo en sus<br>
open-resolvers dnssec pero solo "opt-in" pero ahora parece
que es por<br>
default. Aquí mis pruebas y parece que si.<br>
<br>
<br>
Este debe fallar y responder servfail porque es un dominio
mal firmado a<br>
propósito.<br>
<br>
dig A @<a moz-do-not-send="true" href="http://8.8.8.8"
target="_blank">8.8.8.8</a> <a moz-do-not-send="true"
href="http://www.dnssec-failed.org" target="_blank">www.dnssec-failed.org</a><br>
<br>
; <<>> DiG 9.8.3-P1 <<>> A @<a
moz-do-not-send="true" href="http://8.8.8.8"
target="_blank">8.8.8.8</a> <a moz-do-not-send="true"
href="http://www.dnssec-failed.org" target="_blank">www.dnssec-failed.org</a><br>
; (1 server found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL,
id: 62928<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 0<br>
<br>
;; QUESTION SECTION:<br>
;<a moz-do-not-send="true"
href="http://www.dnssec-failed.org" target="_blank">www.dnssec-failed.org</a>.
IN A<br>
<br>
;; Query time: 226 msec<br>
;; SERVER: 8.8.8.8#53(8.8.8.8)<br>
;; WHEN: Thu May 2 11:42:18 2013<br>
;; MSG SIZE rcvd: 39<br>
<br>
Con la bandera para que ignore la validacion dnssec,
resuelve.<br>
<br>
dig A @<a moz-do-not-send="true" href="http://8.8.8.8"
target="_blank">8.8.8.8</a> <a moz-do-not-send="true"
href="http://www.dnssec-failed.org" target="_blank">www.dnssec-failed.org</a>
+cd<br>
; <<>> DiG 9.8.3-P1 <<>> A @<a
moz-do-not-send="true" href="http://8.8.8.8"
target="_blank">8.8.8.8</a> <a moz-do-not-send="true"
href="http://www.dnssec-failed.org" target="_blank">www.dnssec-failed.org</a>
+cd<br>
; (1 server found)<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 27748<br>
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0,
ADDITIONAL: 0<br>
<br>
;; QUESTION SECTION:<br>
;<a moz-do-not-send="true"
href="http://www.dnssec-failed.org" target="_blank">www.dnssec-failed.org</a>.
IN A<br>
<br>
;; ANSWER SECTION:<br>
<a moz-do-not-send="true"
href="http://www.dnssec-failed.org" target="_blank">www.dnssec-failed.org</a>.
7200 IN A 69.252.216.215<br>
<a moz-do-not-send="true"
href="http://www.dnssec-failed.org" target="_blank">www.dnssec-failed.org</a>.
7200 IN A 69.252.208.135<br>
<br>
;; Query time: 191 msec<br>
;; SERVER: 8.8.8.8#53(8.8.8.8)<br>
;; WHEN: Thu May 2 11:42:23 2013<br>
;; MSG SIZE rcvd: 71<br>
<br>
También probe poniendo como mi resolver a los
servidores de Google y la<br>
pagina de <a moz-do-not-send="true"
href="http://www.dnssec-failed.org" target="_blank">www.dnssec-failed.org</a>
me retorna un error del browser que no<br>
la puede alcanzar.<br>
<br>
Alguien con problemas o funcionando bien? Alguien
con información de<br>
Google?<br>
<br>
Slds<br>
as<br>
_______________________________________________<br>
dns-esp mailing list<br>
<a moz-do-not-send="true"
href="mailto:dns-esp@listas.nic.cl">dns-esp@listas.nic.cl</a><br>
<a moz-do-not-send="true"
href="https://listas.nic.cl/mailman/listinfo/dns-esp"
target="_blank">https://listas.nic.cl/mailman/listinfo/dns-esp</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Eduardo Kaftanski<br>
<a moz-do-not-send="true" href="mailto:eduardo@kdi.cl"
target="_blank">eduardo@kdi.cl</a><br>
<a moz-do-not-send="true" href="mailto:ekaftan@gmail.com"
target="_blank">ekaftan@gmail.com</a><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
dns-esp mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dns-esp@listas.nic.cl">dns-esp@listas.nic.cl</a>
<a class="moz-txt-link-freetext" href="https://listas.nic.cl/mailman/listinfo/dns-esp">https://listas.nic.cl/mailman/listinfo/dns-esp</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Cristian A. Rojas R. <a class="moz-txt-link-rfc2396E" href="mailto:crrojas@nic.cl"><crrojas@nic.cl></a> NIC Chile
Miraflores 222, Piso 14, Codigo Postal 832-0198, Santiago Chile
Phone: (+562) 29407700 Fax: (+562) 29407701
</pre>
</body>
</html>