# SkyDNS running live [SkyDNS](https://github.com/skynetservices/skydns) is able to do DNSSEC. It generates signatures and NSEC3 records on the fly. For authenticated denial of existence SkyDNS uses [NSEC3 white lies](http://tools.ietf.org/html/rfc7129#appendix-B), of course implementing (and testing!) this isn't completely trivial. To aid in debugging I've setup a live version of SkyDNS on `voordeur.atoom.net`, under the name the zone : % dig +mul +noall +answer @voordeur.atoom.net soa skydns.dnssex.nl skydns.dnssex.nl. 3600 IN SOA ns1.dns.skydns.dnssex.nl. hostmaster.skydns.local. ( 1403942400 ; serial 28800 ; refresh (8 hours) 7200 ; retry (2 hours) 604800 ; expire (1 week) 60 ; minimum (1 minute) ) To help getting DNSSEC support 100% working this zone has been delegated and has an DS record in the parent zone. With `unbound-host` you can see the validation status of this zone: % unbound-host -C /etc/unbound/unbound.conf -vt SOA skydns.dnssex.nl skydns.dnssex.nl has SOA record ns1.dns.skydns.dnssex.nl. hostmaster.skydns.local. 1403942400 28800 7200 604800 60 (secure) Where `(secure)` indicates DNSSEC is in order. ## Bugs However getting NXDOMAIN and NODATA response it gets a bit more flaky, but some stuff is working: % unbound-host -C /etc/unbound/unbound.conf -vt TXT dns.skydns.dnssex.nl dns.skydns.dnssex.nl has no TXT record (secure) And some is not: % unbound-host -C /etc/unbound/unbound.conf -vt SRV server2.miek.skydns.dnssex.nl Host server2.miek.skydns.dnssex.nl not found: 3(NXDOMAIN). (BOGUS (security failure)) validation failure : nameerror proof failed from 89.98.74.120 *sadface* I believe this is due to defaulting to `skydns.dnssex.nl` as the closest encloser and `*.skydns.dnssex.nl` as the source of synthesis, but I haven't had the time to dig deeper into this. ## Testing In the near future I hope to update the [current test](https://github.com/skynetservices/skydns/blob/master/server_test.go), to include NSEC3 white lies tests.