[dns-operations] help with a resolution
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Jan 8 01:37:45 UTC 2020
On Wed, Jan 08, 2020 at 08:56:41AM +0800, William C wrote:
> Can you help check why public nameservers (all 8.8.8.8, 1.1.1.1, 9.9.9.9
> etc) can't resolve this domain?
>
> $ dig pike-aviation.com @8.8.8.8
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15133
That's easy, the domain is delegated signed:
pike-aviation.com. IN DS 41388 7 1 fc9228e1b977dcd5c830a5c0101532e225e173cf
but a query for its zone apex DNSKEY RRset returns:
pike-aviation.com. IN SOA ns69.domaincontrol.com. dns at jomax.net. 2020010702 28800 7200 604800 600
so the entire domain is "bogus":
https://dnsviz.net/d/pike-aviation.com/dnssec/
so either publish a DNSKEY RRset that includes and is signed by a
key that matches the DS RRset, and then sign the rest of the zone
with one of the keys in that RRset, OR else ask your registrar to
request a drop of the DS RRset from the .com zone.
--
Viktor.
More information about the dns-operations
mailing list