[dns-operations] Google DNS + domain = not resolvable, other DNS + domain = resolvable

Zack Piper zack at apertron.com
Sat Jan 27 13:15:52 UTC 2018


Chris Thompson <cet1 at cam.ac.uk> writes:

> On Jan 26 2018, Zack Piper wrote:
>
>>We're trying to resolve the domain mazuma.co.th, resolving the 
>>domain (A
>>records) on any of the following nameservers result in a 
>>SERVFAIL:
>>
>>8.8.8.8: returned SERVFAIL or otherwise no records
> [...]
>>212.94.34.34: returned SERVFAIL or otherwise no records
>>
>>Of the 200 servers I tested, the above couldn't resolve 
>>mazuma.co.th
>>
>>The rest can resolve it to 107.180.126.240
>
> This is a (rather straightforward) DNSSEC configuration 
> error. There is a
> DS record for mazuma.co.th in the parent zone co.th:


>
> mazuma.co.th.  7200  IN   DS   2371 13 2 
> 17E84A970ECAC1463F5DACD5F886115517D461E7350E526D85A1F376A06BB315
>
> but no DNSKEY records in the zone itself (at 
> ns{41,42}.domaincontrol.com).
> See e.g. http://dnsviz.net/d/mazuma.co.th/dnssec/
>
Ah, I see. Thank you!

>>So I guess the SERVFAIL ones feed from Google? What I'm curious 
>>to know
>>is: does Google's public DNS blacklist malicious websites? The 
>>website
>>itself doesn't seem to be blocked on other things I checked.
>>
>>Anyway, hopefully someone can shed some light on why Google's 
>>DNS can't
>>resolve mazuma.co.th but almost everything else can
>
> Validating resolvers will detect mazuma.co.th as broken and give 
> SERVFAIL.
> Non-validating ones will not. 


-- 
Zack Piper             System administrator
           https://apertron.net            



More information about the dns-operations mailing list