[dns-operations] DNSSEC validation - salliemae.com
Scott Morizot
tmorizot at gmail.com
Thu Aug 8 19:26:07 UTC 2019
On Thu, Aug 8, 2019 at 2:09 PM Robert Blayzor <rblayzor.bulk at inoc.net>
wrote:
> info: validation failure <www.salliemae.com. A IN>: No DNSKEY record for
> key salliemae.com. while building chain of trust
>
>
>
That's interesting. I note the salliemae.com DNSKEY result msg size appears
to be 1708 bytes which means the UDP EDNS0 response will most likely be
fragmented. (Below is the ODVR unbound resolver, but I checked directly
against one of the salliemae.com authoritative nameservers as well.) That
could be a factor. Their zone *is* broken in a very strange manner. But the
two specific A record queries should resolve and validate. The DNSKEY
response does as well.
dig @184.105.193.74 salliemae.com dnskey +multiline +dnssec
; <<>> DiG 9.12.1-P2 <<>> @184.105.193.74 salliemae.com dnskey +multiline
+dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6609
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;salliemae.com. IN DNSKEY
;; ANSWER SECTION:
salliemae.com. 1 IN DNSKEY 257 3 7 (
AwEAAcTElH6W0s5P+ENfTEjMz9KCDbucmuTsBpcVH+/R
5JVclcI8gF/xs+RMvUW4YQ8Wx65gQxJbfzlKBwG1oAwF
udrA58XCLSXx3iLtRYKQ2iqnH6Fl3dX84+cBi9BeEoar
gPT6WV+7fQY8gYisfB4Or9kWes3K18yxo6AVFkZ58OYU
Tn1L1kXAKuuKc6zENxLWG1rZgLnf9XxwnG5Pv+uxL+Lm
FWADJoQmFcxPj8Mn870jTrDyrJG4qUjFEuKGrM72rnk2
H6+ObUL/NisqVPMoFGYHQrNh6KmQUr2asr6Oyi4rwXFz
2hY8QpUUVXLCI5piVeCIuwdaFn0rmWyhMETO33rE/Heh
Lfd18IQu804nVUXVAwfXHeBiN2caeciGVKc0Ka1Me7QN
LeScxHbF/3zAdXjE79xTYSNtnKV8q/kxlGChckTuQPh0
jXadpftxNLA9WaDbbm+9tM/s6dD6AnS4WNHIgBQkgCHs
lgy5/DJJx/DWw6qRwTEzaXSWJzwkzdgOEXS6EnOPsvWg
gQ2HHLpebUDaqlp7dPqIS0HEiaWZRELLTIC+lZsw+tBw
WYNWXLnpmLQm3r+Q1FX70SxvgSVRHQuSFjbDmhO/bL0o
h72ijTKFapQvsZaE6/l/oyx3kpGmWQMjvbqvxY7YY4l9
nszzBpBRIVbhwqL2/6boS+ODEQbN
) ; KSK; alg = NSEC3RSASHA1 ; key id = 15630
salliemae.com. 1 IN DNSKEY 256 3 7 (
AwEAAbx9NRApanJphwVKdhi1uCjuaXIcOM4/hu3A180X
zE32vBdW/s54o0YjQHczSaKvDBZPGrYvGUrvq+lpiW31
lOKs7ZiVxS9Fh/tHvtFgMRZmq6ly8q0JURHyYNpaBXf/
EOZAuMeiJ4EIkLyUxk9d7txyiYNCsfYWkFYFNNDdE3nX
bAdNlRIGopRzyrC6hxCPs4JNP7go9hJ9RotvZ4ArhPVc
UvKkMEJjh8Rz/uH+xbC1ycEuopjXslmY5ak0CsLMwJo9
YKCDCQCHthOEsuAQhUUSMQnD3tD/1YHZZ2HiZaqvQRCJ
tixUsB22d6BNaSSnJ8bgwGJQISxdezLQLjfj/98=
) ; ZSK; alg = NSEC3RSASHA1 ; key id = 33962
salliemae.com. 1 IN RRSIG DNSKEY 7 2 600 (
20190905152127 20190806152127 15630
salliemae.com.
s851LLgBMd+KftIpZyvj+nNooSaL3qy5GHbyBFYL2BqS
Ha5iVSVg1NW3Ef8aW8GEaKK998326x2/x04qiK23YQPu
z/fnfR6TIJxRJMM+MBGpoHqMAGghHmRQo5WCHIgSQoa5
Lds4pswgoDPyaqgVdQV+tHFKIPzHIjcbCH8MTnw7+iPM
IwWd5pQHCLP2ksjFtNXUToIVWWKPoCd/urc5CnieYVuk
gv5HsS/Ycryrc84NPRFDna9hqIeGCtlpBAUfWk8LZODn
dG1R7u5d6jPO8eYGwalLX4B9beaxgO/cl8ObbaSXCLq7
Rs9OC4rbiQIlh/z/yKsy1SZ/xRgn+e+n3zjOgysEeF/3
ZnShE37HBjoOAS9N4dIt136nYgCVJKyxVp6N7kcJWLBR
Jihmepe1g5YBt1hI1CBpLsm3aNJkSh3XaEWb/RWUoiPR
K1LX/dXOreOY+dkoCOrcYS1/9cu0Wzpot3fejp4J/mzj
mjXachLvm4W6kKXF9pejgqV1c5+n9KKXu62JQ9lmej/G
VjTuu/o8uQGz4+Ze13IALvr6X11v1FdjBOrFfulkZvs/
OGFgyJ9KiwFtprWZdMtemUdZCatpI0N7KOb1jTTx6wsk
zJYzcGSBkz16aYx5BY1Bk3C1Rfdi4qhjLYzvIGH5INax
W7QP2HCBjehGAaayoTlM4jA= )
salliemae.com. 1 IN RRSIG DNSKEY 7 2 600 (
20190905152127 20190806152127 33962
salliemae.com.
jGCZBRGuJBl7OxOEzgvA20LIbY7yOmbShlDdDRs/qmbE
sGiUmsc7uKDeMas9v/QzkErwzAm/z4A6bugUe8im/RAw
lVkTqms86T9Onh/IzfBIL6xq0BXZpwJXf+hIC8pCXn5d
iER3Oy5CQt4GZxWSpjEysiXqtUeobv22cJU1IYIEpn5G
nVug8l3gQTYk7fz56DD7wgX61NhKupZzLaYrHzk4WOYX
oTi0jTgqnS6WwJu3f4jh3LUVHcFcV3E0pbDYRHzsIn0d
yyxAv8ot8xJVRa54AOK9fddTTNS6NmP+26aXsNnWW/fD
4bPI7aWhe6csLivc6K7PIsFNmdWWo9xWaQ== )
;; Query time: 102 msec
;; SERVER: 184.105.193.74#53(184.105.193.74)
;; WHEN: Thu Aug 08 14:15:39 Central Daylight Time 2019
;; MSG SIZE rcvd: 1708
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190808/034738c5/attachment.html>
More information about the dns-operations
mailing list