[dns-operations] Fortinet contact? Problems with their public resolvers
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Jun 15 21:46:18 UTC 2018
Am 13.06.2018 um 14:00 schrieb Daniel Stirnimann:
> It looks like that if the CD bit is absent, it returns SERVFAIL.
Meanwhile I think it is not CD related. For example powerdns.com
resolves fine via Fortinet resolvers although their name server
(PowerDNS) also clear the CD flag:
$ dig @208.91.112.53 powerdns.com +short
188.166.104.92
Another observation: When Asking their resolver with CD-flag set the
usually SERVFAILing zones work, but no DNSSEC RRs are returned.
Shouldn't they also response with the DNSSEC RRs?
$ dig @208.91.112.53 dnssec-signiert.at +cdflag +dnssec
; <<>> DiG 9.10.3-P4-Debian <<>> @208.91.112.53 dnssec-signiert.at
+cdflag +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54473
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-signiert.at. IN A
;; AUTHORITY SECTION:
dnssec-signiert.at. 148 IN SOA ns2.at43.at. mib.nic.at.
1010 600 3600 604800 600
$ dig @208.91.112.53 dnssec-signiert.at +cdflag +dnssec RRSIG
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10941
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-signiert.at. IN RRSIG
regards
Klaus
More information about the dns-operations
mailing list