Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

Are You Protected By DNSSEC? A Quick Way To Check

Want a quick way to check if you have DNSSEC validation working at your site? Just go to:

https://www.dnssec-tools.org/test/

You’ll see either a thumbs-up or a thumbs-down:

Thumbs Up DNSSEC Tools Thumbs Down

If you get a thumbs-up then all the DNS queries were validated with DNSSEC.  If you get a thumbs-down then your local DNS resolver is either not validating with DNSSEC or is not validating all queries.  Time to figure out what’s wrong!

If you need to configure DNSSEC validation, we recommend SURFnet’s white paper that includes easy steps for common DNS resolvers.

And if you know very little about DNSSEC and want to learn more, please visit our Start Here page to begin!

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

Google Clarifies DNSSEC Support – Opt In Now, Full Validation Coming Soon

Google logoAfter Google’s announcement earlier this week of DNSSEC validation support in their Public DNS service, there was some concern and discussion in various DNSSEC mailing lists about the fact that DNSSEC validation was not being performed by default and required a client to request validation.  Folks at Google clarified that this was just part of their initial rollout and that providing full validation is in their plans.

They have now also updated their FAQ about DNSSEC support in Google Public DNS and most importantly updated these two questions (my emphasis added):

Does Google Public DNS support the DNSSEC protocol?
Yes. Google Public DNS is a validating, security-aware resolver. Currently this is an opt-in feature: for queries coming from clients requesting validation (the AD and/or DO flag is set), Google Public DNS verifies that response records are correctly authenticated. Validation by default (i.e. for all queries) will be enabled soon.

Which client resolvers currently enable DNSSEC?
Unfortunately, most standard client stub resolvers do not enable full DNSSEC checking and cannot be easily reconfigured to do so. We have decided to make our initial launch only cover resolvers that explicitly ask for DNSSEC checking so that we become aware of any problems before exposing our users to possible large-scale DNS failures due to DNSSEC misconfigurations or outages. Once we are happy that we can safely enable DNSSEC for all users except those who explicitly opt out, we will do so.

It’s great to see Google responding to questions and adding these clarifications – and from the point of view of advocacy for DNSSEC deployment, it is great to have Google out there endorsing and promoting DNSSEC as a way to increase Internet security.

(And you can easily get started with DNSSEC if you haven’t already.)

For those of you who enjoy listening to audio, I recorded some audio commentary on our SoundCloud channel about why I view this news from Google as incredibly important: