Do certificates for IP Addresses work?

Richard Laager rlaager at wiktel.com
Sun Feb 3 21:19:19 UTC 2019


On 2/3/19 1:39 PM, Sanjeev Gupta wrote:
> The Google resolver checks for valid DNSSEC, and sets the bit.

and does not return a result if DNSSEC fails.

$ dig dnssec.fail @8.8.8.8 | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35621
$ dig dnssec-failed.org @8.8.8.8 | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45396

> However,
> practically no one contacts Google DNS directly, it is their home router
> or office gateway that does this.  And these resolvers do not check DNSSEC.

Right, it's not ideal. Anyone between them and their home/office router
or, more importantly, that router and Google can mess with their DNS.

-- 
Richard


More information about the devel mailing list