Maintained by: NLnet Labs

[Unbound-users] 8.8.8.8

Hauke Lampe
Mon Jun 28 17:56:14 CEST 2010


On 06/27/2010 04:23 PM, Florian Weimer wrote:

> Google's resolvers do not support DNSSEC.

They seem to support DNSSEC partially, with no special handling of DS
records:

> hauke at pope:~$ dig +dnssec org.dlv.isc.org dlv @8.8.8.8
> [...]
> ;; ANSWER SECTION:
> org.dlv.isc.org.	3265	IN	DLV	21366 7 2 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0 D90F01BA
> org.dlv.isc.org.	3265	IN	DLV	21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2
> org.dlv.isc.org.	3265	IN	RRSIG	DLV 5 4 3600 20100728141503 20100628141503 64263 dlv.isc.org. IXjBYCKFyVMMYWZqDNAf5J0QM4g31/p3piHjNgIty3qvGKTtkQOCdEh/ XhBqIPiuaB1VWnRg7GI1dbBxeKYPlpcCdIPOG98v+wAYU5+cuXJFGDqF X1TlP9Z4gxVCXvoMErJOvja3bkubE+cx8ezfnIz1j9oeRDg/SsMaNYL8 RZc=

but:

> hauke at pope:~$ dig +dnssec ntp.org ds @8.8.8.8
> [...]
> ;; AUTHORITY SECTION:
> ntp.org.		3559	IN	SOA	maccarony.ntp.org. postmaster.www.ntp.org. 2010062400 21600 14400 60480 60480

So, while unbound successfully validates the DLV records, it can't
complete the chain without DS/NSEC.

> Out of curiosity, why do you configure as a forwarder?

I for one run a validating unbound resolver on my "smartphone" and use
Google DNS (and others) as forwarders to reduce the number of queries
made over slow GPRS links

Until now, I didn't notice any problems with Google's resolvers and
DNSSEC, as unbound automatically retries the query with a different
forwarder.


Hauke.