Re: DNSSSEC verification example

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Nov 22, 2011, at 8:38 PM, Adam Fisk wrote:

> Hi Brian- How do I modify the initial request message to request the
> DNSSEC extended attributes? Should I be able to get those attributes
> from a query to say gmail.com -- i.e can I just fire off queries to
> bunch of the major sites at this point and expect DNSSEC responses?

If you want to set it on all queries, you can call:

Resolver.setEDNS(0, 0, ExtendedFlags.DO, null);

on the resolver being used.  To set it on an individual query:

opt = new OPTRecord(1280, 0, 1, ExtendedFlags.DO , null);
query.addRecord(opt, Section.ADDITIONAL);

Note that unless you send the query directly to an authoritative server, the response will only contain DNSSEC information if the caching server you're pointing to supports DNSSEC.  Whether this is true depends on how your ISP (or other DNS provider) has configured it.

There are definitely major sites using DNSSEC, but gmail isn't one of them.  I'm sure that someone's maintaining a list, but I haven't looked.

Brian