Google adds validation to DNSSEC Worldwide, the rollout of DNSSEC can comfortably be described as “glacial”, but Google valiantly continues to try to give it profile. Having launched its own DNSSEC service three years ago, Mountain View has now added DNSSEC validation to its public DNS resolvers. Announced in this blog post, Google says the move means “we can …
Without DNSSEC, there is still a possibility of Kaminsky exploit. True, but misleading.
But to say 'most of the Internet remains vulnerable to the so-called “Kaminsky bug”' is less-than-responsible journalism. Patches have been available for years and all responsible sysadmins have deployed them. Success of a Kaminsky attack against a patched DNS server is possible but the chance is very, very low.
There are plenty of good reasons to use DNSSEC as there are quite a few vulnerabilities. But please don't put Kaminsky attack at the top of your list.
On the internet and google thinks they can reasonably expect a majority of major players to actually do this when it potentially could stop people reaching their sites.
I have to take a hit and pass it on, just can't imagine this happening.
Btw google thanks for letting me use your DNS servers though, it's appreciated :)
World IPv6 day (and several anniversaries and similar events) pretty much proved that this is a nonsense on any vaguely modern OS. Fact is, if your computer supports IPv6, then it will either use it (if it's available and globally-addressable) or fall back to IPv4 (if not). And if you use IPv4, nothing IPv6 will affect you at all.
You aren't going to damage anyone by publishing an AAAA record that anything without IPv6 accessibility will ignore. And in all modern OS's (i.e. XP and above), if you have IPv6 and it's working then it will get used. If it's not, then it won't.
censorship and advertisements. There are a lot of ISPs who mess with DNS for failed requests and tell it to point to their own server which then serves ads.
Further more many internet censorship plans mess with DNS in order to divert certain sites to a "warning" site.
Google.com? No DNSSEC there. Google.co.uk? Same. Likewise OpenDNS.com.
It's depressing: when even the DNSSEC *advocates* aren't actually enabling it themselves, who will? (FWIW, my personal domain has DNSCurve and DNSSEC, as well as IPv6 - it's truly disappointing that Google don't!)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
