From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9D633138350 for ; Mon, 7 Jan 2013 23:40:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A81A321C0F3; Mon, 7 Jan 2013 23:40:32 +0000 (UTC) Received: from lancer.b1c1l1.com (lancer.b1c1l1.com [72.13.86.100]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id AAD2421C0EC for ; Mon, 7 Jan 2013 23:39:49 +0000 (UTC) Received: from supra.b1c1l1.com (supra.b1c1l1.com [IPv6:2001:470:83fb:0:ca2a:14ff:fe3a:c94e]) by lancer.b1c1l1.com (Postfix) with ESMTPSA id AD5215C51 for ; Mon, 7 Jan 2013 15:39:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=b1c1l1.com; s=default; t=1357601988; bh=e3rd4Pne+jI8BHVVbtowN3MNGqJLl5Y4pHKlFcXyQ+E=; h=Date:From:To:Subject:References:In-Reply-To; b=xpfOJIO3sG+1+79IXDZ+RQgPUXUI3rXxqzjFT3uNdqnlIk6XvCp4CP1f41zALiUrb lDzDQHwtumrqxVDkH+wDbAnnx9VsfVc3T6L8zTLY10FND+gKSyaW9A4EBxoMm0IeSX LqYVtqXCaYXHfr592a1rSieVgVo8uVPGgM8nX7tM= Message-ID: <50EB5CBF.1030209@b1c1l1.com> Date: Mon, 07 Jan 2013 15:39:43 -0800 From: Benjamin Lee User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] DNSSEC (w/ DLV) live on *.dev.gentoo.org References: In-Reply-To: X-Enigmail-Version: 1.4.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig5A3FD24A1DB72F56B63478F3" X-Archives-Salt: 157026be-45f6-49ed-98d3-9e3264baee01 X-Archives-Hash: d697f2683da639d640189fdbbace1a10 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig5A3FD24A1DB72F56B63478F3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 01/07/2013 06:34 AM, Maxim Kammerer wrote: > browser plugins? Also, how widespread is client DNSSEC support? E.g., > I enabled DNSSEC for my domain, but not sure yet whether DNS > resolution anywhere will fail in case DNS responses are spoofed. Comcast runs dnssec-failed.org, which is convenient for testing out some DNSSEC validation failure cases. Using a validating resolver, my client sees SERVFAIL: $ host dnssec-failed.org. Host dnssec-failed.org not found: 2(SERVFAIL) and here are some example logs from the resolver (running BIND): named[80369]: validating @0x804ee5500: dnssec-failed.org DNSKEY: no valid= signature found (DS) named[80369]: error (no valid RRSIG) resolving 'dnssec-failed.org/DNSKEY/= IN': 68.87.76.228#53 --=20 Benjamin Lee http://www.b1c1l1.com/ --------------enig5A3FD24A1DB72F56B63478F3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ61zDAAoJEHpz6H1iC6qD69QP/2dP1KTtKpmYrVm39n/axscm jTycFMogalq59P7iromMlMNu4iFkhynTBib/e7bnrsrqjNxMm0jWsAWhic9lMnLS rKViZUp+8J/rFGmpgPWda9PERzMQkeFeQuvB3v4NN390BYQxy14gl0zUZypTavmK 6cep5y14yi8jsj0UKNkBdZiyeIdmKwbmAVM5ZO0lyb5CunJnScED9RpqmgrVBTy+ 5FQV9iH6g9OjudAcXJMHD2Xy/i/Dh0Wg5/wrLvtoXgQd6ajKYVVbJuHordyO3so6 qZJV5nkEb05gu+cIM5/3v5/LIwJW13v8DvM+IVw87W0CGnzhDQsMmYTZXzMp/CMB gDSl/343shn91y5nT8z10g7LHCS98OPRs0HVe+tKN8dKrJugDac3uRAagCm5USGk J4mGOMGSwCHgzz/UvuShsfQhgzfQjMKAqKkuEDNytYFuzF0v+KPYrc5iMm52ihQV p9qpQYx84WbHyH1NEbbw4CDSiEHNKtE28RwLogX218luqs6CYWSND0S7NS7xm5g1 859i8WAVp/og4ww0wpUUDIG1ZqA9y5Yk79jTuhZB7YZz//43NkQpQhiJI/tpeOZn SePGOKhBA6MeW+KIp7zHBaTQtzUmc7lbk3K9/cHCyJ/P4PqVmTBTvszjSF7dn7CR oeKDODdTdOjj+W2dVR52 =16UL -----END PGP SIGNATURE----- --------------enig5A3FD24A1DB72F56B63478F3--