SkyDNS is able to do DNSSEC. It generates signatures and NSEC3 records on the fly. For authenticated denial of existence SkyDNS uses NSEC3 white lies, of course implementing (and testing!) this isn’t completely trivial.
To aid in debugging I’ve setup a live version of SkyDNS on
voordeur.atoom.net, under the name the
% dig +mul +noall +answer @voordeur.atoom.net soa skydns.dnssex.nl skydns.dnssex.nl. 3600 IN SOA ns1.dns.skydns.dnssex.nl. hostmaster.skydns.local. ( 1403942400 ; serial 28800 ; refresh (8 hours) 7200 ; retry (2 hours) 604800 ; expire (1 week) 60 ; minimum (1 minute) )
To help getting DNSSEC support 100% working this zone has been delegated and has an DS record
in the parent zone. With
unbound-host you can see the validation status of this zone:
% unbound-host -C /etc/unbound/unbound.conf -vt SOA skydns.dnssex.nl skydns.dnssex.nl has SOA record ns1.dns.skydns.dnssex.nl. hostmaster.skydns.local. 1403942400 28800 7200 604800 60 (secure)
(secure) indicates DNSSEC is in order.
However getting NXDOMAIN and NODATA response it gets a bit more flaky, but some stuff is working:
% unbound-host -C /etc/unbound/unbound.conf -vt TXT dns.skydns.dnssex.nl dns.skydns.dnssex.nl has no TXT record (secure)
And some is not:
% unbound-host -C /etc/unbound/unbound.conf -vt SRV server2.miek.skydns.dnssex.nl Host server2.miek.skydns.dnssex.nl not found: 3(NXDOMAIN). (BOGUS (security failure)) validation failure <server2.miek.skydns.dnssex.nl. SRV IN>: nameerror proof failed from 184.108.40.206
sadface I believe this is due to defaulting to
skydns.dnssex.nl as the closest encloser
*.skydns.dnssex.nl as the source of synthesis, but I haven’t had the time to
dig deeper into this.
In the near future I hope to update the current test, to include NSEC3 white lies tests.