Menu
▾
▴
Re: DNSSSEC verification example
|
From: Adam F. <af...@br...> - 2012-02-20 22:52:22
|
I belatedly wanted to thank you for all these details, Brian. It's still an early version that needs more extensive testing in the wild, but the steps you described are integrated into DNSSEC4J at: https://github.com/adamfisk/DNSSEC4J I know others have mentioned it, but I'll throw in my +1 for putting dnsjava up at Sonatype for auto-syncing with Maven central -- would make it much easier for third parties to integrate things like DNSSEC4J as well. It's actually fairly easy to do and totally worth it -- described at: https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide All the Best, -Adam On Wed, Nov 23, 2011 at 4:32 PM, Brian Wellington <bwe...@xb...> wrote: > > On Nov 22, 2011, at 8:38 PM, Adam Fisk wrote: > >> Hi Brian- How do I modify the initial request message to request the >> DNSSEC extended attributes? Should I be able to get those attributes >> from a query to say gmail.com -- i.e can I just fire off queries to >> bunch of the major sites at this point and expect DNSSEC responses? > > If you want to set it on all queries, you can call: > > Resolver.setEDNS(0, 0, ExtendedFlags.DO, null); > > on the resolver being used. To set it on an individual query: > > opt = new OPTRecord(1280, 0, 1, ExtendedFlags.DO , null); > query.addRecord(opt, Section.ADDITIONAL); > > Note that unless you send the query directly to an authoritative server, the response will only contain DNSSEC information if the caching server you're pointing to supports DNSSEC. Whether this is true depends on how your ISP (or other DNS provider) has configured it. > > There are definitely major sites using DNSSEC, but gmail isn't one of them. I'm sure that someone's maintaining a list, but I haven't looked. > > Brian > |
