Re: [bitfolk] BitFolk's DNS resolvers and DNSSEC validation …

Hello,

On Tue, Mar 26, 2013 at 11:07:06PM +0000, Andy Smith wrote:
> We could put up a test instance of Unbound with validation enabled
> and you could switch to using it, to see if anything breaks. Is that
> something that any of you think you would bother with?

It looks like it will be quicker to just do this than to extract a
firm desire for it out of anyone. :)

So, there's now a validating resolver on 85.119.80.243. It will
return SERVFAIL for domains with broken DNSSEC. If you want to test
DNSSEC without installing your own resolver, please use that IP (and
only that IP) in your /etc/resolv.conf, or you can issue "dig"
commands like:

    $ dig -t a www.dnssec-failed.org @85.119.80.243

    ; <<>> DiG 9.7.3 <<>> -t a www.dnssec-failed.org @85.119.80.243
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12471
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.dnssec-failed.org.         IN      A

    ;; Query time: 1287 msec
    ;; SERVER: 85.119.80.243#53(85.119.80.243)
    ;; WHEN: Wed Mar 27 21:50:46 2013
    ;; MSG SIZE  rcvd: 39

In a couple of days I will send an email to announce@ stating when
validation will be turned on for the production resolvers and
mentioning the existence of 85.119.80.243.

I have since discovered "val-permissive-mode: yes":

    http://unbound.net/documentation/howto_turnoff_dnssec.html

so what will most likely happen is that validation will be enabled
in permissive mode right away and logs examined after a week to see
what the likely fallout will be.

Cheers,
Andy

--
http://bitfolk.com/ -- No-nonsense VPS hosting