[dns-operations] DNSSEC validation - salliemae.com

Robert Blayzor rblayzor.bulk at inoc.net
Thu Aug 8 20:02:30 UTC 2019

On 8/8/19 3:26 PM, Scott Morizot wrote:
> That's interesting. I note the salliemae.com <http://salliemae.com>
> DNSKEY result msg size appears to be 1708 bytes which means the UDP
> EDNS0 response will most likely be fragmented. (Below is the ODVR
> unbound resolver, but I checked directly against one of the
> salliemae.com <http://salliemae.com> authoritative nameservers as well.)
> That could be a factor. Their zone *is* broken in a very strange manner.
> But the two specific A record queries should resolve and validate. The
> DNSKEY response does as well

You hit the nail on the head, it was frags. They were making it through
the firewalls ok, but FreeBSD firewall rule was not allowing frags to
pass inbound. Punched that in the ACL and now "A" for domain literal and
"www" actually resolve and pass.

However, SOA and NS come back with servfail. It's possible they don't
even have those records; news to me...

XMPP: rblayzor.AT.inoc.net
PGP:  https://pgp.inoc.net/rblayzor/

More information about the dns-operations mailing list