[dns-operations] What's wrong with my domain?

Jim Reid jim at rfc1035.com
Wed Jul 2 11:15:52 UTC 2014

On 2 Jul 2014, at 11:29, Mohamed Lrhazi <ml623 at georgetown.edu> wrote:

> I am sure I messed up something, but cant figure out what! Some DNS
> servers, notably Google's, return SERVFAIL, since a couple of days now.

DNSSEC for gu.edu appears to be broken. google's service does DNSSEC validation. SERVFAILs get returned when validation fails. FWIW my name servers also do DNSSEC validation and they get SERVFAILs for your domain too.

It looks to me like someone/something rolled gu.edu's KSK and forgot to get the parent delegation updated. .edu has one DS record for gu.edu which is for a key with fingerprint 3078. None of the DNSKEYs in gu.edu have that footprint. This makes it impossible to validate any signed data under gu.edu:

% drill -TD gu.edu ns
[T] gu.edu. 86400 IN DS 3078 7 1 b4c9fb14d6519c3ece5cc43e80c463d5847d73ed 
;; Domain: gu.edu.
;; Signature ok but no chain to a trusted key or ds record
[S] gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 35043 (ksk), size = 2048b}
gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 39339 (ksk), size = 2048b}
gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 25247 (zsk), size = 2048b}
gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 38702 (zsk), size = 2048b}

More information about the dns-operations mailing list