[dns-operations] service-now.com DNSSEC broken?
Casey Deccio
casey at deccio.net
Sat Jan 28 03:21:48 UTC 2017
> On Jan 27, 2017, at 8:03 PM, David <opendak at shaw.ca> wrote:
>
> On 2017-01-27 5:33 PM, Stephan Lagerholm wrote:
>> 8.8.8.8 as well as Comcast DNS is servfailing without the +cd bit. But
>> domain comes out clean in the verisign and dnsviz debuggers.
>>
>> Can anybody help me figure out what is wrong with it?
>
> https://puck.nether.net/pipermail/outages/2017-January/010036.html
>
Looks like it is intermittent:
http://dnsviz.net/d/service-now.com/e/126998240/dnssec/ (looks good)
http://dnsviz.net/d/service-now.com/e/127004107/dnssec/ (looks broken)
(Both examples query 8.8.8.8)
Perhaps the DS/DNSKEY inconsistency exists in some of the backend caches of Google and Comcast, but not everywhere. Even when the correct records (i.e., matching DS/DNSKEY) are returned by 8.8.8.8, SERVFAIL is returned without the CD bit set in the request [1].
Casey
[1] This can be seen in the "history" field of the raw request/response data associated with the first analysis (which otherwise looks good) above: http://dnsviz.net/d/service-now.com/e/126998240/REST/raw/?p=1 (see "INVALID_RCODE")
More information about the dns-operations
mailing list