[dns-operations] www.factorymoneystore.gov DNSSec Failures

Casey Deccio casey at deccio.net
Sat Jul 26 19:40:07 UTC 2014

On Sat, Jul 26, 2014 at 2:30 PM, Ryan Rawdon <ryan at u13.net> wrote:

> http://dnssec-debugger.verisignlabs.com/www.moneyfactorystore.gov
>         RRSIG=51869 and DNSKEY=51869 does not verify the A RRset (RSA
> Verification failed)
>         RRSIG=54410 and DNSKEY=54410 does not verify the A RRset (RSA
> Verification failed)
>         None of the 2 RRSIG and 4 DNSKEY records validate the A RRset
>         The A RRset was not signed by any keys in the chain-of-trust
> Validation for moneyfactorystore.gov succeeds, however
> www.moneyfactorystore.gov fails.  Came across this when a user pointed
> out that it was not resolving.
Hmm, DNSViz doesn't see any problems [1], and the DNS-OARC resolvers give
an authenticated response [2].  I'm not sure about the reported RSA
verification failures, but it could be that your resolver is (incorrectly)
expecting a closest encloser NSEC3 record, which isn't necessary for
wildcard responses, but which some older versions of BIND required it [3].
What resolver are you running?


[1] http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/
[2] https://www.dns-oarc.net/oarc/services/odvr
[3] See the following thread:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140726/de1c5d65/attachment.html>

More information about the dns-operations mailing list