Do certificates for IP Addresses work?
Richard Laager
rlaager at wiktel.com
Sun Feb 3 21:19:19 UTC 2019
On 2/3/19 1:39 PM, Sanjeev Gupta wrote:
> The Google resolver checks for valid DNSSEC, and sets the bit.
and does not return a result if DNSSEC fails.
$ dig dnssec.fail @8.8.8.8 | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35621
$ dig dnssec-failed.org @8.8.8.8 | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45396
> However,
> practically no one contacts Google DNS directly, it is their home router
> or office gateway that does this. And these resolvers do not check DNSSEC.
Right, it's not ideal. Anyone between them and their home/office router
or, more importantly, that router and Google can mess with their DNS.
--
Richard
More information about the devel
mailing list