[dns-operations] DNSSEC validation - salliemae.com

Mark Andrews marka at isc.org
Fri Aug 9 02:19:04 UTC 2019 


> On 9 Aug 2019, at 6:02 am, Robert Blayzor <rblayzor.bulk at inoc.net> wrote:
> 
> On 8/8/19 3:26 PM, Scott Morizot wrote:
>> That's interesting. I note the salliemae.com <http://salliemae.com>
>> DNSKEY result msg size appears to be 1708 bytes which means the UDP
>> EDNS0 response will most likely be fragmented. (Below is the ODVR
>> unbound resolver, but I checked directly against one of the
>> salliemae.com <http://salliemae.com> authoritative nameservers as well.)
>> That could be a factor. Their zone *is* broken in a very strange manner.
>> But the two specific A record queries should resolve and validate. The
>> DNSKEY response does as well
> 
> 
> You hit the nail on the head, it was frags. They were making it through
> the firewalls ok, but FreeBSD firewall rule was not allowing frags to
> pass inbound. Punched that in the ACL and now "A" for domain literal and
> "www" actually resolve and pass.
> 
> However, SOA and NS come back with servfail. It's possible they don't
> even have those records; news to me…

They have those records.  They just aren’t properly signed. Ask with CD=1
and you should get the records back.

% dig salliemae.com +dnssec ns +cd
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.1 <<>> salliemae.com +dnssec ns +cd
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63219
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 9222563f9e3612981d6d7a195d4cd7d9fd6f90797564206a (good)
;; QUESTION SECTION:
;salliemae.com.			IN	NS

;; ANSWER SECTION:
salliemae.com.		172664	IN	NS	ns107.a0.incapsecuredns.net.
salliemae.com.		172664	IN	NS	ns22.a1.incapsecuredns.net.
salliemae.com.		172664	IN	NS	ns81.a2.incapsecuredns.net.
salliemae.com.		109	IN	RRSIG	NS 7 2 600 20190905152127 20190806152127 33962 salliemae.com. pD/UJUO9Ui3SQfEDTjO82F9VuLumWVnu1QnugNLXMcAohqgJCSKbUqaM c8jPc1pGkbAiFoUr7JR+h28B184t+Q0WLq0sdvHbmZe9e65sblTvEHB1 sA4YJV+Whdk8j2NkdjYTLA1efOKrjphmREgA+yMpi7TMs3sKcipqTJeu ZtEalBrrL9oDKhZufG5DNSRumcRdOMWusIKeT2vtH2U/dI5w3kdgONxY neBuXM0GD8ENrqdcEdBTP4nUXd6hZYEt8ZfFZI+WbL0We0+/ZzZmM2/q gih2OG4UlpTFXYsSlDMle+DDDW6bRFAQRhXSbwq9wnl1V2yB3CJjJl7N zE9o1Q==

;; ADDITIONAL SECTION:
ns81.a2.incapsecuredns.net. 3141 IN	A	192.230.123.81
ns22.a1.incapsecuredns.net. 3174 IN	A	192.230.122.22
ns107.a0.incapsecuredns.net. 3164 IN	A	192.230.121.107
ns81.a2.incapsecuredns.net. 3141 IN	AAAA	2a02:e980:6::51
ns22.a1.incapsecuredns.net. 3174 IN	AAAA	2a02:e980:5::16
ns107.a0.incapsecuredns.net. 3164 IN	AAAA	2a02:e980:4::6b

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug 09 12:18:01 AEST 2019
;; MSG SIZE  rcvd: 624

%
> -- 
> inoc.net!rblayzor
> XMPP: rblayzor.AT.inoc.net
> PGP:  https://pgp.inoc.net/rblayzor/
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list