[dns-operations] Google DNS + domain = not resolvable, other DNS + domain = resolvable

Zack Piper zack at apertron.com
Sat Jan 27 13:15:52 UTC 2018

Chris Thompson <cet1 at cam.ac.uk> writes:

> On Jan 26 2018, Zack Piper wrote:
>>We're trying to resolve the domain mazuma.co.th, resolving the 
>>domain (A
>>records) on any of the following nameservers result in a 
>> returned SERVFAIL or otherwise no records
> [...]
>> returned SERVFAIL or otherwise no records
>>Of the 200 servers I tested, the above couldn't resolve 
>>The rest can resolve it to
> This is a (rather straightforward) DNSSEC configuration 
> error. There is a
> DS record for mazuma.co.th in the parent zone co.th:

> mazuma.co.th.  7200  IN   DS   2371 13 2 
> 17E84A970ECAC1463F5DACD5F886115517D461E7350E526D85A1F376A06BB315
> but no DNSKEY records in the zone itself (at 
> ns{41,42}.domaincontrol.com).
> See e.g. http://dnsviz.net/d/mazuma.co.th/dnssec/
Ah, I see. Thank you!

>>So I guess the SERVFAIL ones feed from Google? What I'm curious 
>>to know
>>is: does Google's public DNS blacklist malicious websites? The 
>>itself doesn't seem to be blocked on other things I checked.
>>Anyway, hopefully someone can shed some light on why Google's 
>>DNS can't
>>resolve mazuma.co.th but almost everything else can
> Validating resolvers will detect mazuma.co.th as broken and give 
> Non-validating ones will not. 

Zack Piper             System administrator

More information about the dns-operations mailing list