SkyDNS running live

June 28, 2014


SkyDNS is able to do DNSSEC. It generates signatures and NSEC3 records on the fly. For authenticated denial of existence SkyDNS uses NSEC3 white lies, of course implementing (and testing!) this isn’t completely trivial.

To aid in debugging I’ve setup a live version of SkyDNS on, under the name the zone

% dig +mul +noall +answer soa    3600 IN SOA hostmaster.skydns.local. (
                            1403942400 ; serial
                            28800      ; refresh (8 hours)
                            7200       ; retry (2 hours)
                            604800     ; expire (1 week)
                            60         ; minimum (1 minute)

To help getting DNSSEC support 100% working this zone has been delegated and has an DS record in the parent zone. With unbound-host you can see the validation status of this zone:

% unbound-host -C /etc/unbound/unbound.conf -vt SOA has SOA record hostmaster.skydns.local. 
    1403942400 28800 7200 604800 60 (secure)

Where (secure) indicates DNSSEC is in order.


However getting NXDOMAIN and NODATA response it gets a bit more flaky, but some stuff is working:

% unbound-host -C /etc/unbound/unbound.conf -vt TXT has no TXT record (secure)

And some is not:

% unbound-host -C /etc/unbound/unbound.conf -vt SRV
Host not found: 3(NXDOMAIN). (BOGUS (security failure))
validation failure < SRV IN>: 
    nameerror proof failed from

sadface I believe this is due to defaulting to as the closest encloser and * as the source of synthesis, but I haven’t had the time to dig deeper into this.


In the near future I hope to update the current test, to include NSEC3 white lies tests.

DNS  SkyDNS  Service  Online  DNSSEC  Golang  Bugs