[dns-operations] DNSSEC queries to Amazon EC2 without signatures

Petr Menšík pemensik at redhat.com
Tue Jun 7 16:00:21 UTC 2022

Is anyone from Amazon EC2 DNS team present?

We have Testing Farm for Fedora project on AWS instances. Because our 
internal network restricts outgoing DNS packets, we always rely on 
resolvers provided by the network. However, our unbound test containing 
DNSSEC validation fails. The server does not answer to dnssec enabled 
query with signatures, which are required for working resolution.

Another issue is bad handling of empty non-terminals. Name dig soa 
us-east-2.compute.internal answers without error, but dig soa 
compute.internal ends with NXDOMAIN status. Because Amazon is member of 
DNS-OARC, do you know, when such reports should be directed?


Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the dns-operations mailing list