[dns-operations] dnssec-failed.org and dns.google

abang abang at t-ipnet.net
Wed Aug 14 08:10:50 UTC 2019


Am 14.08.2019 um 08:49 schrieb Eliza:
> Hi,
>
> on 2019/8/14 14:27, A. Schulze wrote:
>> dnssec-failed.org is widely used to proof dnssec validation is in place.
>> If someone can reach the domains webserver, the resolver behind the 
>> scene doesn't validate.
>>
>> now my monitoring alerted me about an unexpected answer:
>>
>>
>> dig @8.8.8.8 dnssec-failed.org. +aaonly
>
>
> I got SERVFAIL running the same command.
>
> $ dig @8.8.8.8 dnssec-failed.org. +aaonly
>
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 dnssec-failed.org. +aaonly
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30903
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;dnssec-failed.org.             IN      A
>
> ;; Query time: 403 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Aug 14 14:48:20 HKT 2019
> ;; MSG SIZE  rcvd: 46

Weird, NOERROR from here (AS3320):

$ dig @8.8.8.8 dnssec-failed.org

; <<>> DiG 9.9.9-P1 <<>> @8.8.8.8 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5698
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dnssec-failed.org.             IN      A

;; ANSWER SECTION:
dnssec-failed.org.      7198    IN      A       69.252.80.75

;; Query time: 12 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 14 10:06:50 CEST 2019
;; MSG SIZE  rcvd: 62



More information about the dns-operations mailing list