Comments on: DNSSEC verification with dig

By: waldner

waldner — Mon, 10 Mar 2014 11:55:07 +0000

In reply to Aleksandar. So it seems they haven't got it yet.

By: Aleksandar

Aleksandar — Mon, 10 Mar 2014 11:24:52 +0000

In reply to waldner. That's also all I could find, and that's why I am asking.

By: waldner

waldner — Mon, 10 Mar 2014 11:08:44 +0000

In reply to Aleksandar. Where did you read that google.com has DNSSEC? All I can find is that their public DNS resolvers do DNSSEC validation, which is not at all the same thing.

By: Aleksandar

Aleksandar — Mon, 10 Mar 2014 08:44:58 +0000

Why does it fail on google? I thought they must be DNSSEC enabled. Just wondering if it is some crazy ISP DNS spoofing or google don't have it yet. Because your example domain from above worked for me.

$ dig +sigchase +trusted-key=./root.keys google.com. A | cat -n
1 ;; RRset to chase:
2 google.com. 28 IN A 74.125.228.4
3 google.com. 28 IN A 74.125.228.5
4 google.com. 28 IN A 74.125.228.6
5 google.com. 28 IN A 74.125.228.7
6 google.com. 28 IN A 74.125.228.8
7 google.com. 28 IN A 74.125.228.9
8 google.com. 28 IN A 74.125.228.14
9 google.com. 28 IN A 74.125.228.0
10 google.com. 28 IN A 74.125.228.1
11 google.com. 28 IN A 74.125.228.2
12 google.com. 28 IN A 74.125.228.3
13
14
15
16 Launch a query to find a RRset of type RRSIG for zone: google.com.
17
18 ;; RRSIG is missing for continue validation: FAILED