[dns-operations] Strange behavior of google public resolver

Taras Heichenko tasic at hostmaster.ua
Thu Apr 18 14:13:04 UTC 2019 


> On Apr 18, 2019, at 16:45, Bryan Hughes <bhughes at tiggee.com> wrote:
> 
> Taras - 
> 
> What's going on with your KSK's in this domain?

Unfortunately it is not my domain. :( I tried to explain the domain admin what should be done but I think I was not heard.
I hope that in a day or two he will bring the domain to the working state. :( Now you see the state different from the state when I
wrote my first letter.

> KeyID 35973 using algo 10 is invalid (http://dnsviz.net/d/rv.ua/dnssec/), KeyID 613 using a very old algo 3 is valid. For what it's worth, Google DNS SERVFAILs for me when I break the KSK on a test domain. Perhaps they are at times validating on KeyID 613 (and subsequent NOERROR response) and the rest of the time failing to validate KeyID 35973?
> 
> 
> On Thu, Apr 18, 2019 at 7:22 AM Taras Heichenko <tasic at hostmaster.ua> wrote:
> 
> 
> > On Apr 18, 2019, at 13:07, Jim Reid <jim at rfc1035.com> wrote:
> > 
> > 
> > 
> >> On 18 Apr 2019, at 10:46, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> >> 
> >> Of course, it would be better to move away from DSA, but it shouldn't
> >> make a SERVFAIL, just a lack of validation
> > 
> > ? If DSA signatures can't be validated, SERVFAIL is the correct response.
> 
> Then why does google resolver sometimes give the answer with NSes?
> Sometimes it can validate DSA signature and sometimes not?
> 
> > 
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-operations mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> --
> Best regards
> 
> Taras Heichenko
> tasic at hostmaster.ua
> 
> 
> 
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

--
Best regards

Taras Heichenko
tasic at hostmaster.ua

More information about the dns-operations mailing list