[dns-operations] Google DNS + domain = not resolvable, other DNS + domain = resolvable
Zack Piper
zack at apertron.com
Sat Jan 27 13:15:52 UTC 2018
Chris Thompson <cet1 at cam.ac.uk> writes:
> On Jan 26 2018, Zack Piper wrote:
>
>>We're trying to resolve the domain mazuma.co.th, resolving the
>>domain (A
>>records) on any of the following nameservers result in a
>>SERVFAIL:
>>
>>8.8.8.8: returned SERVFAIL or otherwise no records
> [...]
>>212.94.34.34: returned SERVFAIL or otherwise no records
>>
>>Of the 200 servers I tested, the above couldn't resolve
>>mazuma.co.th
>>
>>The rest can resolve it to 107.180.126.240
>
> This is a (rather straightforward) DNSSEC configuration
> error. There is a
> DS record for mazuma.co.th in the parent zone co.th:
>
> mazuma.co.th. 7200 IN DS 2371 13 2
> 17E84A970ECAC1463F5DACD5F886115517D461E7350E526D85A1F376A06BB315
>
> but no DNSKEY records in the zone itself (at
> ns{41,42}.domaincontrol.com).
> See e.g. http://dnsviz.net/d/mazuma.co.th/dnssec/
>
Ah, I see. Thank you!
>>So I guess the SERVFAIL ones feed from Google? What I'm curious
>>to know
>>is: does Google's public DNS blacklist malicious websites? The
>>website
>>itself doesn't seem to be blocked on other things I checked.
>>
>>Anyway, hopefully someone can shed some light on why Google's
>>DNS can't
>>resolve mazuma.co.th but almost everything else can
>
> Validating resolvers will detect mazuma.co.th as broken and give
> SERVFAIL.
> Non-validating ones will not.
--
Zack Piper System administrator
https://apertron.net
More information about the dns-operations
mailing list