Closed dalbodeule closed 5 years ago
silverwind
commented
5 years ago The low-level abstractions for DNSSEC validation should be all there, but I have never tried it myself either.
Generally, I think we want to add DNSSEC validation to dns-socket as a feature.
dalbodeule
commented
5 years ago In fact, I have more questions. My first goal is to create a packet that uses DNSSEC as shown in the following picture rather than the DNSSEC validation process.
silverwind
commented
5 years ago This appears to work:
require('util').inspect.defaultOptions.depth = null
const dnsPacket = require('.')
const dgram = require('dgram')
const socket = dgram.createSocket('udp4')
const server = require('dns').getServers()[0]
const buf = dnsPacket.encode({
type: 'query',
flags: dnsPacket.RECURSION_DESIRED,
questions: [{
type: 'A',
name: 'www.ietf.org'
}],
additionals: [{
type: 'OPT',
name: '.',
udpPayloadSize: 4096,
flags: dnsPacket.DNSSEC_OK
}]
})
socket.on('message', message => {
console.log(dnsPacket.decode(message))
process.exit()
})
socket.send(buf, 0, buf.length, 53, server)I did not return RRSIG when testing with Google, but I am returning RRSIG well when I test it on my personal site. Is Google not using RRSIG records? Previously, we tested the OPT record in the Additionals field, but here's why we did not receive the RRSIG.
silverwind
commented
5 years ago It appears google.com does not have DNSSEC enabled, also try dig +dnssec google.com.
hildjj
commented
5 years ago I always test DNSSEC against ietf.org or icann.org; those domain have various folks interested in ensuring they stay correct.
I'm also interested in checking DNSSEC validity, see https://github.com/hildjj/dohdec/issues/3. Happy to collaborate either here or in a different project.
I would like to proceed with DNS Query by applying DNSSEC. However, there is no example to query DNSSEC. Can you give me an example of DNS query by applying DNSSEC?