[dns-operations] DNSSEC validation - salliemae.com

Robert Blayzor rblayzor.bulk at inoc.net
Wed Aug 7 13:25:40 UTC 2019


We run multiple unbound recursive DNS servers using DNSSEC validation.

We've been getting complaints about users not being able to get to
salliemae.com. From what we have seen, salliemae.com's DNSSEC is
completely broken. Bad sigs, no sigs on records, etc.

For example: SOA sig fails, but "www" for salliemae.com has no signature
(that I can see).

User complains that using our servers they can't get to the site (and
rightfully so, I guess), but then states that if they switch to Google
or Cloudfalre (8.8.8.8 or 1.1.1.1) it works.

If I try to do validation tests for the SOA record Google or Cloudflare,
I get the same failures, but they DO return a valid A records for "www".

I thought DNSSEC validation was to be "all or nothing". How can you be
doing DNSSEC validation but still passing back RR's that do not pass due
to not having any signature ?

Who is right?

-- 
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP:  https://pgp.inoc.net/rblayzor/




More information about the dns-operations mailing list