<div dir="ltr">On Sat, Jul 26, 2014 at 2:30 PM, Ryan Rawdon <span dir="ltr"><<a href="mailto:ryan@u13.net" target="_blank">ryan@u13.net</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<a href="http://dnssec-debugger.verisignlabs.com/www.moneyfactorystore.gov" target="_blank">http://dnssec-debugger.verisignlabs.com/www.moneyfactorystore.gov</a><br>
<br>
        RRSIG=51869 and DNSKEY=51869 does not verify the A RRset (RSA Verification failed)<br>
        RRSIG=54410 and DNSKEY=54410 does not verify the A RRset (RSA Verification failed)<br>
        None of the 2 RRSIG and 4 DNSKEY records validate the A RRset<br>
        The A RRset was not signed by any keys in the chain-of-trust<br>
<br>
Validation for <a href="http://moneyfactorystore.gov" target="_blank">moneyfactorystore.gov</a> succeeds, however <a href="http://www.moneyfactorystore.gov" target="_blank">www.moneyfactorystore.gov</a> fails.  Came across this when a user pointed out that it was not resolving.<br>


<br></blockquote><div><br></div><div>Hmm, DNSViz doesn't see any problems [1], and the DNS-OARC resolvers give an authenticated response [2].  I'm not sure about the reported RSA verification failures, but it could be that your resolver is (incorrectly) expecting a closest encloser NSEC3 record, which isn't necessary for wildcard responses, but which some older versions of BIND required it [3].  What resolver are you running?<br>

<br></div><div>Cheers,<br></div><div>Casey<br></div><div><br>[1] <a href="http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/" target="_blank">http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/</a><br>
[2] <a href="https://www.dns-oarc.net/oarc/services/odvr" target="_blank">https://www.dns-oarc.net/oarc/services/odvr</a><br>[3] See the following thread: <a href="http://dnssec-deployment.org/pipermail/dnssec-deployment/2011-October/005486.html">http://dnssec-deployment.org/pipermail/dnssec-deployment/2011-October/005486.html</a><br>

</div></div></div></div>