[dns-operations] Fortinet contact? Problems with their public resolvers
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Jun 13 08:05:13 UTC 2018
Am 12.06.2018 um 20:04 schrieb Viktor Dukhovni:
>
>
>> On Jun 12, 2018, at 12:12 PM, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>>
>> Their resolvers quite often return SERVFAIL for DNSSEC signed zones, and
>> we are quite sure that the zones are signed correct and the
>> authoritative name servers respond correct (see below).
>>
>> $ dig @208.91.112.53 dnssec-signiert.at
>
> I don't have a contact to suggest, but one might speculate as
> to the cause based on features of the data. The only "modern"
> feature I see that might plausibly give old software indigestion:
>
> * The DS RRset is SHA2 only
Thanks for you analysis. But we do have the same problem with other zone
with other hash and other algos, eg:
$ dig @208.91.112.53 goeast.ch
; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> @208.91.112.53 goeast.ch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57049
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
regards
Klaus
More information about the dns-operations
mailing list