Re: [bitfolk] BitFolk's DNS resolvers and DNSSEC validation - how to make progress?

Hello, On Tue, Mar 26, 2013 at 11:07:06PM +0000, Andy Smith wrote: It looks like it will be quicker to just do this than to extract a firm desire for it out of anyone. :) So, there's now a validating resolver on 85.119.80.243. It will return SERVFAIL for domains with broken DNSSEC. If you want to test DNSSEC without installing your own resolver, please use that IP (and only that IP) in your /etc/resolv.conf, or you can issue "dig" commands like: $ dig -t a www.dnssec-failed.org @85.119.80.243 ; <<>> DiG 9.7.3 <<>> -t a www.dnssec-failed.org @85.119.80.243 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12471 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; Query time: 1287 msec ;; SERVER: 85.119.80.243#53(85.119.80.243) ;; WHEN: Wed Mar 27 21:50:46 2013 ;; MSG SIZE rcvd: 39 In a couple of days I will send an email to announce@ stating when validation will be turned on for the production resolvers and mentioning the existence of 85.119.80.243. I have since discovered "val-permissive-mode: yes": http://unbound.net/documentation/howto_turnoff_dnssec.html so what will most likely happen is that validation will be enabled in permissive mode right away and logs examined after a week to see what the likely fallout will be. Cheers, Andy -- http://bitfolk.com/ -- No-nonsense VPS hosting