[dns-operations] DNSSEC validation - salliemae.com

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Aug 7 17:52:01 UTC 2019

On Wed, Aug 07, 2019 at 09:25:40AM -0400, Robert Blayzor wrote:

> We run multiple unbound recursive DNS servers using DNSSEC validation.
> We've been getting complaints about users not being able to get to
> salliemae.com. From what we have seen, salliemae.com's DNSSEC is
> completely broken. Bad sigs, no sigs on records, etc.

Not completely, the DNSKEY RRset appears to validate fine, but the SOA
signatuer is broken (perhaps serial bumped after signing?), and so
all denial of existence fails:


On the other hand, www.salliemae.com for which a CNAME does exist, mostly
works, though one of the nameservers doesn't bother returning any RRSIGs:


> Who is right?

Though my unbound resolves their "www", their DNS is noticeably
flakey.  It'd be greate if someone would ping their operations team.


More information about the dns-operations mailing list