[dns-operations] service-now.com DNSSEC broken?
casey at deccio.net
Sat Jan 28 03:21:48 UTC 2017
> On Jan 27, 2017, at 8:03 PM, David <opendak at shaw.ca> wrote:
> On 2017-01-27 5:33 PM, Stephan Lagerholm wrote:
>> 184.108.40.206 as well as Comcast DNS is servfailing without the +cd bit. But
>> domain comes out clean in the verisign and dnsviz debuggers.
>> Can anybody help me figure out what is wrong with it?
Looks like it is intermittent:
http://dnsviz.net/d/service-now.com/e/126998240/dnssec/ (looks good)
http://dnsviz.net/d/service-now.com/e/127004107/dnssec/ (looks broken)
(Both examples query 220.127.116.11)
Perhaps the DS/DNSKEY inconsistency exists in some of the backend caches of Google and Comcast, but not everywhere. Even when the correct records (i.e., matching DS/DNSKEY) are returned by 18.104.22.168, SERVFAIL is returned without the CD bit set in the request .
 This can be seen in the "history" field of the raw request/response data associated with the first analysis (which otherwise looks good) above: http://dnsviz.net/d/service-now.com/e/126998240/REST/raw/?p=1 (see "INVALID_RCODE")
More information about the dns-operations