On 2/3/19 1:39 PM, Sanjeev Gupta wrote: > The Google resolver checks for valid DNSSEC, and sets the bit.
and does not return a result if DNSSEC fails. $ dig dnssec.fail @8.8.8.8 | grep status ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35621 $ dig dnssec-failed.org @8.8.8.8 | grep status ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45396 > However, > practically no one contacts Google DNS directly, it is their home router > or office gateway that does this. And these resolvers do not check DNSSEC. Right, it's not ideal. Anyone between them and their home/office router or, more importantly, that router and Google can mess with their DNS. -- Richard _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel