[dns-operations] DNSSEC failures resolving the Sophos domain sophosxl.net

Craig Leres leres at ee.lbl.gov
Thu Jan 19 22:43:40 UTC 2017

We do dnssec validation at LBL and for many months have been seeing 
Sophos client dns lookup failures that might result from the use of dns 
to validate threat signatures. Here's an example named 9.10 log message 
from a recursive resolver:

        2 Jan 19 14:09:18 131.243.???.??? named[1316]: client 
rpz NSIP rewrite 
via 931np766rn5645s1.i.00.s.sophosxl.net unrecognized NS 
rpz_rrset_find() failed: SERVFAIL

While we do make extensive use of rpz we do not use the NSIP feature nor 
do we even build bind with RPZ_NSIP support.

Here's a dnsviz.net report that shows a number of DNSSEC issues:


So far attempts to interest Sophos tech support in this issue have 
failed. It would be appreciated if someone could put us in touch with a 
clueful contact at Sophos.


More information about the dns-operations mailing list