[dns-operations] DNSSEC validation - salliemae.com

John Levine johnl at taugh.com
Thu Aug 8 19:08:45 UTC 2019

In article <F941C54E-4E54-4ACD-837D-90AE006A4E11 at hopcount.ca> you write:
>> If I try to do a lookup using DNSSEC validation to quad1 or quad8 or my
>> own unbound servers for "NS" or "SOA" for salliemae.com, I get a SERVFAIL.
>Yep, I see no signatures returned from ns107.a0.incapsecuredns.net for SALLIEMAE.COM/IN/SOA with DO=1. SERVFAIL seems like an appropriate response. Their
>zone is broken.

Take a look on dnsviz and it agrees with you.  Some of their servers know the zone is signed, some don't.

I think there's a rule of thumb that any server with "secure" in its name isn't. (Unless, I suppose, "incap" is short
for incapable.)


More information about the dns-operations mailing list