[dns-operations] DNSSEC validation - salliemae.com
marka at isc.org
Fri Aug 9 02:19:04 UTC 2019
> On 9 Aug 2019, at 6:02 am, Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
> On 8/8/19 3:26 PM, Scott Morizot wrote:
>> That's interesting. I note the salliemae.com <http://salliemae.com>
>> DNSKEY result msg size appears to be 1708 bytes which means the UDP
>> EDNS0 response will most likely be fragmented. (Below is the ODVR
>> unbound resolver, but I checked directly against one of the
>> salliemae.com <http://salliemae.com> authoritative nameservers as well.)
>> That could be a factor. Their zone *is* broken in a very strange manner.
>> But the two specific A record queries should resolve and validate. The
>> DNSKEY response does as well
> You hit the nail on the head, it was frags. They were making it through
> the firewalls ok, but FreeBSD firewall rule was not allowing frags to
> pass inbound. Punched that in the ACL and now "A" for domain literal and
> "www" actually resolve and pass.
> However, SOA and NS come back with servfail. It's possible they don't
> even have those records; news to me…
They have those records. They just aren’t properly signed. Ask with CD=1
and you should get the records back.
% dig salliemae.com +dnssec ns +cd
;; BADCOOKIE, retrying.
; <<>> DiG 9.15.1 <<>> salliemae.com +dnssec ns +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63219
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 9222563f9e3612981d6d7a195d4cd7d9fd6f90797564206a (good)
;; QUESTION SECTION:
;salliemae.com. IN NS
;; ANSWER SECTION:
salliemae.com. 172664 IN NS ns107.a0.incapsecuredns.net.
salliemae.com. 172664 IN NS ns22.a1.incapsecuredns.net.
salliemae.com. 172664 IN NS ns81.a2.incapsecuredns.net.
salliemae.com. 109 IN RRSIG NS 7 2 600 20190905152127 20190806152127 33962 salliemae.com. pD/UJUO9Ui3SQfEDTjO82F9VuLumWVnu1QnugNLXMcAohqgJCSKbUqaM c8jPc1pGkbAiFoUr7JR+h28B184t+Q0WLq0sdvHbmZe9e65sblTvEHB1 sA4YJV+Whdk8j2NkdjYTLA1efOKrjphmREgA+yMpi7TMs3sKcipqTJeu ZtEalBrrL9oDKhZufG5DNSRumcRdOMWusIKeT2vtH2U/dI5w3kdgONxY neBuXM0GD8ENrqdcEdBTP4nUXd6hZYEt8ZfFZI+WbL0We0+/ZzZmM2/q gih2OG4UlpTFXYsSlDMle+DDDW6bRFAQRhXSbwq9wnl1V2yB3CJjJl7N zE9o1Q==
;; ADDITIONAL SECTION:
ns81.a2.incapsecuredns.net. 3141 IN A 126.96.36.199
ns22.a1.incapsecuredns.net. 3174 IN A 188.8.131.52
ns107.a0.incapsecuredns.net. 3164 IN A 184.108.40.206
ns81.a2.incapsecuredns.net. 3141 IN AAAA 2a02:e980:6::51
ns22.a1.incapsecuredns.net. 3174 IN AAAA 2a02:e980:5::16
ns107.a0.incapsecuredns.net. 3164 IN AAAA 2a02:e980:4::6b
;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 09 12:18:01 AEST 2019
;; MSG SIZE rcvd: 624
> XMPP: rblayzor.AT.inoc.net
> PGP: https://pgp.inoc.net/rblayzor/
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations