[Unbound-users] 8.8.8.8
Hauke Lampe
lampe at hauke-lampe.de
Mon Jun 28 15:56:14 UTC 2010
On 06/27/2010 04:23 PM, Florian Weimer wrote:
> Google's resolvers do not support DNSSEC.
They seem to support DNSSEC partially, with no special handling of DS
records:
> hauke at pope:~$ dig +dnssec org.dlv.isc.org dlv @8.8.8.8
> [...]
> ;; ANSWER SECTION:
> org.dlv.isc.org. 3265 IN DLV 21366 7 2 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 D90F01BA
> org.dlv.isc.org. 3265 IN DLV 21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2
> org.dlv.isc.org. 3265 IN RRSIG DLV 5 4 3600 20100728141503 20100628141503 64263 dlv.isc.org. IXjBYCKFyVMMYWZqDNAf5J0QM4g31/p3piHjNgIty3qvGKTtkQOCdEh/ XhBqIPiuaB1VWnRg7GI1dbBxeKYPlpcCdIPOG98v+wAYU5+cuXJFGDqF X1TlP9Z4gxVCXvoMErJOvja3bkubE+cx8ezfnIz1j9oeRDg/SsMaNYL8 RZc=
but:
> hauke at pope:~$ dig +dnssec ntp.org ds @8.8.8.8
> [...]
> ;; AUTHORITY SECTION:
> ntp.org. 3559 IN SOA maccarony.ntp.org. postmaster.www.ntp.org. 2010062400 21600 14400 60480 60480
So, while unbound successfully validates the DLV records, it can't
complete the chain without DS/NSEC.
> Out of curiosity, why do you configure as a forwarder?
I for one run a validating unbound resolver on my "smartphone" and use
Google DNS (and others) as forwarders to reduce the number of queries
made over slow GPRS links
Until now, I didn't notice any problems with Google's resolvers and
DNSSEC, as unbound automatically retries the query with a different
forwarder.
Hauke.
More information about the Unbound-users
mailing list