[dns-operations] service-now.com DNSSEC broken?

Casey Deccio casey at deccio.net
Sat Jan 28 03:21:48 UTC 2017

> On Jan 27, 2017, at 8:03 PM, David <opendak at shaw.ca> wrote:
> On 2017-01-27 5:33 PM, Stephan Lagerholm wrote:
>> as well as Comcast DNS is servfailing without the +cd bit. But
>> domain comes out clean in the verisign and dnsviz debuggers.
>> Can anybody help me figure out what is wrong with it?
> https://puck.nether.net/pipermail/outages/2017-January/010036.html

Looks like it is intermittent:

http://dnsviz.net/d/service-now.com/e/126998240/dnssec/ (looks good)
http://dnsviz.net/d/service-now.com/e/127004107/dnssec/ (looks broken)

(Both examples query

Perhaps the DS/DNSKEY inconsistency exists in some of the backend caches of Google and Comcast, but not everywhere.  Even when the correct records (i.e., matching DS/DNSKEY) are returned by, SERVFAIL is returned without the CD bit set in the request [1].


[1] This can be seen in the "history" field of the raw request/response data associated with the first analysis (which otherwise looks good) above: http://dnsviz.net/d/service-now.com/e/126998240/REST/raw/?p=1 (see "INVALID_RCODE")

More information about the dns-operations mailing list