[dns-operations] DNSSEC validation - salliemae.com

Scott Morizot tmorizot at gmail.com
Wed Aug 7 13:54:08 UTC 2019

DNSViz is operating without historical data right now, so I can't see if
there's been a recent problem or not, but www.salliemae.com points into a
CDN and has a validated mix of a secure cname record pointing to an
insecure target, but everything validates as properly secure or insecure.


 I check salliemae.com and I see two IPv4 nameservers and three IPv6
nameservers are returning A records with data that can be validated. I
check from an enterprise client endpoint in our enterprise (which has a
multi-layered, fully validating recursive infrastructure) and I see it
finds the responses that can be validated. I presume responses that aren't
are marked as bad and other nameservers in the authoritative list are
checked until a good response can be found. Or perhaps it's intermittently
failing on in our infrastructure and from the enterprise network there's
not been anyone who has raised it as an issue. (Not that we would do
anything since the responses are bogus and we don't assume responsibility
for failures in external entities' DNS or websites.)


But www.salliemae.com does appear to consistently validate even if A
records for salliemae.com don't. And the delegation itself validates


On Wed, Aug 7, 2019 at 8:35 AM Robert Blayzor <rblayzor.bulk at inoc.net>

> We run multiple unbound recursive DNS servers using DNSSEC validation.
> We've been getting complaints about users not being able to get to
> salliemae.com. From what we have seen, salliemae.com's DNSSEC is
> completely broken. Bad sigs, no sigs on records, etc.
> For example: SOA sig fails, but "www" for salliemae.com has no signature
> (that I can see).
> User complains that using our servers they can't get to the site (and
> rightfully so, I guess), but then states that if they switch to Google
> or Cloudfalre ( or it works.
> If I try to do validation tests for the SOA record Google or Cloudflare,
> I get the same failures, but they DO return a valid A records for "www".
> I thought DNSSEC validation was to be "all or nothing". How can you be
> doing DNSSEC validation but still passing back RR's that do not pass due
> to not having any signature ?
> Who is right?
> --
> inoc.net!rblayzor
> XMPP: rblayzor.AT.inoc.net
> PGP:  https://pgp.inoc.net/rblayzor/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190807/b1110168/attachment.html>

More information about the dns-operations mailing list