Bowie Bailey writes:
On 11/10/2011 8:25 PM, Sam Varshavchik wrote: > I'd like to make a small request, if you have a few spare minutes. Download > and compile this build. You do not need to install it, just run > "testmxlookup" that gets built in the courier subdirectory, like this: > > testmxlookup -dnssec <domain> > > You should get back a list of MX records for the specified domain, as usual. > In the event that someone does happen to have working DNSSEC, each IP > address in the list will be also marked with "(DNSSEC)", but that's not > important, as long as the list of MX IPs is returned at all. > > This is to gauge the percentage of population with DNS servers that can't > talk to DNSSEC-enabled clients. In the event that the "-dnssec" option > doesn't work, also try: > > testmxlookup -dnssec -udpsize 512 <domain>I compiled and tested on my main mailserver. A basic lookup works fine. Using the dnssec option (with or without udpsize) fails. $ pwd /home/bowieb/source/courier-0.66.3.20111110/courier $ ./testmxlookup yahoo.com Domain yahoo.com: Relay: mta6.am0.yahoodns.net, Priority: 1, Address: ::ffff:67.195.168.31 Relay: mta6.am0.yahoodns.net, Priority: 1, Address: ::ffff:66.94.236.34 Relay: mta5.am0.yahoodns.net, Priority: 1, Address: ::ffff:98.139.175.224 Relay: mta5.am0.yahoodns.net, Priority: 1, Address: ::ffff:98.139.175.225 Relay: mta5.am0.yahoodns.net, Priority: 1, Address: ::ffff:67.195.103.233 Relay: mta7.am0.yahoodns.net, Priority: 1, Address: ::ffff:98.137.54.238 Relay: mta7.am0.yahoodns.net, Priority: 1, Address: ::ffff:66.94.237.139 Relay: mta7.am0.yahoodns.net, Priority: 1, Address: ::ffff:209.191.88.254 Relay: mta7.am0.yahoodns.net, Priority: 1, Address: ::ffff:67.195.168.230 Relay: mta7.am0.yahoodns.net, Priority: 1, Address: ::ffff:74.6.136.65 Relay: mta7.am0.yahoodns.net, Priority: 1, Address: ::ffff:98.137.54.237 Relay: mta7.am0.yahoodns.net, Priority: 1, Address: ::ffff:74.6.140.64 Relay: mta7.am0.yahoodns.net, Priority: 1, Address: ::ffff:66.94.237.64 $ ./testmxlookup --dnssec yahoo.com Hard error. $ ./testmxlookup --dnssec --udpsize 512 yahoo.com Hard error. $ This is talking to a Bind 9.2.4 DNS server. I moved the binary over to my internal server which talks to a Bind 9.7.0 server and got the same results.
That's strange. According to http://www.isc.org/software/bind/dnssec, "all versions of BIND 9 are DNSSEC capable".
What happens if you run a query using 'dig' with the "+dnssec" option: dig +dnssec yahoo.com mx
pgpuSA5SCihdE.pgp
Description: PGP signature
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users