In message <4f389087.50...@gmail.com>, "dE ." writes: > > On 02/12/12 23:13, Miek Gieben wrote: > > [ Quoting<de.tec...@gmail.com> at 23:10 on Feb 12 in "dig -- only RRSIG pr > ..." ] > >> I'm trying to see DNSSEC response of various sites; my DNS server is > >> 8.8.8.8 (google's public DNS service) > > Google's public resolvers don't handle DNSSEC very well... > > > > grtz Miek > > > > > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri > be from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > They claim that they do support - > > http://code.google.com/speed/public-dns/faq.html#dnssec Does Google Public DNS support the DNSSEC protocol? Google Public DNS supports EDNS0 extensions, which means that we accept and forward DNSSEC-formatted messages; however, we do not yet validate responses. We will continue to work on improving Google Public DNS.
Which says nothing about the special handling required for DS. You also can't be a reliable DNSSEC aware recursive server without validating the responses or without setting DO on upstream queries when the client doesn't set DO. If you don't validate you leave yourself open to cache poisioning which will be detected by downstream validators and they will have no way to recover. If you don't set DO on upstream queries you cache will be polluted by non DNSSEC responses. The DNSSEC aware recursive server needs a super set of the trust anchors used by the clients. All this has been pointed out on dns...@ietf.org so hopefully Google is paying attention there. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users