<div dir="ltr"><div dir="ltr">On Thu, Aug 8, 2019 at 2:09 PM Robert Blayzor <<a href="mailto:rblayzor.bulk@inoc.net">rblayzor.bulk@inoc.net</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">info: validation failure <<a href="http://www.salliemae.com" rel="noreferrer" target="_blank">www.salliemae.com</a>. A IN>: No DNSKEY record for<br>
key <a href="http://salliemae.com" rel="noreferrer" target="_blank">salliemae.com</a>. while building chain of trust<br>
<br><br></blockquote><div><br></div><div>That's interesting. I note the <a href="http://salliemae.com">salliemae.com</a> DNSKEY result msg size appears to be 1708 bytes which means the UDP EDNS0 response will most likely be fragmented. (Below is the ODVR unbound resolver, but I checked directly against one of the <a href="http://salliemae.com">salliemae.com</a> authoritative nameservers as well.) That could be a factor. Their zone *is* broken in a very strange manner. But the two specific A record queries should resolve and validate. The DNSKEY response does as well.</div><div><br></div><div>dig @<a href="http://184.105.193.74">184.105.193.74</a> <a href="http://salliemae.com">salliemae.com</a> dnskey +multiline +dnssec<br><br>; <<>> DiG 9.12.1-P2 <<>> @<a href="http://184.105.193.74">184.105.193.74</a> <a href="http://salliemae.com">salliemae.com</a> dnskey +multiline +dnssec<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6609<br>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 4096<br>;; QUESTION SECTION:<br>;<a href="http://salliemae.com">salliemae.com</a>. IN DNSKEY<br><br>;; ANSWER SECTION:<br><a href="http://salliemae.com">salliemae.com</a>. 1 IN DNSKEY 257 3 7 (<br> AwEAAcTElH6W0s5P+ENfTEjMz9KCDbucmuTsBpcVH+/R<br> 5JVclcI8gF/xs+RMvUW4YQ8Wx65gQxJbfzlKBwG1oAwF<br> udrA58XCLSXx3iLtRYKQ2iqnH6Fl3dX84+cBi9BeEoar<br> gPT6WV+7fQY8gYisfB4Or9kWes3K18yxo6AVFkZ58OYU<br> Tn1L1kXAKuuKc6zENxLWG1rZgLnf9XxwnG5Pv+uxL+Lm<br> FWADJoQmFcxPj8Mn870jTrDyrJG4qUjFEuKGrM72rnk2<br> H6+ObUL/NisqVPMoFGYHQrNh6KmQUr2asr6Oyi4rwXFz<br> 2hY8QpUUVXLCI5piVeCIuwdaFn0rmWyhMETO33rE/Heh<br> Lfd18IQu804nVUXVAwfXHeBiN2caeciGVKc0Ka1Me7QN<br> LeScxHbF/3zAdXjE79xTYSNtnKV8q/kxlGChckTuQPh0<br> jXadpftxNLA9WaDbbm+9tM/s6dD6AnS4WNHIgBQkgCHs<br> lgy5/DJJx/DWw6qRwTEzaXSWJzwkzdgOEXS6EnOPsvWg<br> gQ2HHLpebUDaqlp7dPqIS0HEiaWZRELLTIC+lZsw+tBw<br> WYNWXLnpmLQm3r+Q1FX70SxvgSVRHQuSFjbDmhO/bL0o<br> h72ijTKFapQvsZaE6/l/oyx3kpGmWQMjvbqvxY7YY4l9<br> nszzBpBRIVbhwqL2/6boS+ODEQbN<br> ) ; KSK; alg = NSEC3RSASHA1 ; key id = 15630<br><a href="http://salliemae.com">salliemae.com</a>. 1 IN DNSKEY 256 3 7 (<br> AwEAAbx9NRApanJphwVKdhi1uCjuaXIcOM4/hu3A180X<br> zE32vBdW/s54o0YjQHczSaKvDBZPGrYvGUrvq+lpiW31<br> lOKs7ZiVxS9Fh/tHvtFgMRZmq6ly8q0JURHyYNpaBXf/<br> EOZAuMeiJ4EIkLyUxk9d7txyiYNCsfYWkFYFNNDdE3nX<br> bAdNlRIGopRzyrC6hxCPs4JNP7go9hJ9RotvZ4ArhPVc<br> UvKkMEJjh8Rz/uH+xbC1ycEuopjXslmY5ak0CsLMwJo9<br> YKCDCQCHthOEsuAQhUUSMQnD3tD/1YHZZ2HiZaqvQRCJ<br> tixUsB22d6BNaSSnJ8bgwGJQISxdezLQLjfj/98=<br> ) ; ZSK; alg = NSEC3RSASHA1 ; key id = 33962<br><a href="http://salliemae.com">salliemae.com</a>. 1 IN RRSIG DNSKEY 7 2 600 (<br> 20190905152127 20190806152127 15630 <a href="http://salliemae.com">salliemae.com</a>.<br> s851LLgBMd+KftIpZyvj+nNooSaL3qy5GHbyBFYL2BqS<br> Ha5iVSVg1NW3Ef8aW8GEaKK998326x2/x04qiK23YQPu<br> z/fnfR6TIJxRJMM+MBGpoHqMAGghHmRQo5WCHIgSQoa5<br> Lds4pswgoDPyaqgVdQV+tHFKIPzHIjcbCH8MTnw7+iPM<br> IwWd5pQHCLP2ksjFtNXUToIVWWKPoCd/urc5CnieYVuk<br> gv5HsS/Ycryrc84NPRFDna9hqIeGCtlpBAUfWk8LZODn<br> dG1R7u5d6jPO8eYGwalLX4B9beaxgO/cl8ObbaSXCLq7<br> Rs9OC4rbiQIlh/z/yKsy1SZ/xRgn+e+n3zjOgysEeF/3<br> ZnShE37HBjoOAS9N4dIt136nYgCVJKyxVp6N7kcJWLBR<br> Jihmepe1g5YBt1hI1CBpLsm3aNJkSh3XaEWb/RWUoiPR<br> K1LX/dXOreOY+dkoCOrcYS1/9cu0Wzpot3fejp4J/mzj<br> mjXachLvm4W6kKXF9pejgqV1c5+n9KKXu62JQ9lmej/G<br> VjTuu/o8uQGz4+Ze13IALvr6X11v1FdjBOrFfulkZvs/<br> OGFgyJ9KiwFtprWZdMtemUdZCatpI0N7KOb1jTTx6wsk<br> zJYzcGSBkz16aYx5BY1Bk3C1Rfdi4qhjLYzvIGH5INax<br> W7QP2HCBjehGAaayoTlM4jA= )<br><a href="http://salliemae.com">salliemae.com</a>. 1 IN RRSIG DNSKEY 7 2 600 (<br> 20190905152127 20190806152127 33962 <a href="http://salliemae.com">salliemae.com</a>.<br> jGCZBRGuJBl7OxOEzgvA20LIbY7yOmbShlDdDRs/qmbE<br> sGiUmsc7uKDeMas9v/QzkErwzAm/z4A6bugUe8im/RAw<br> lVkTqms86T9Onh/IzfBIL6xq0BXZpwJXf+hIC8pCXn5d<br> iER3Oy5CQt4GZxWSpjEysiXqtUeobv22cJU1IYIEpn5G<br> nVug8l3gQTYk7fz56DD7wgX61NhKupZzLaYrHzk4WOYX<br> oTi0jTgqnS6WwJu3f4jh3LUVHcFcV3E0pbDYRHzsIn0d<br> yyxAv8ot8xJVRa54AOK9fddTTNS6NmP+26aXsNnWW/fD<br> 4bPI7aWhe6csLivc6K7PIsFNmdWWo9xWaQ== )<br><br>;; Query time: 102 msec<br>;; SERVER: 184.105.193.74#53(184.105.193.74)<br>;; WHEN: Thu Aug 08 14:15:39 Central Daylight Time 2019<br>;; MSG SIZE rcvd: 1708<br></div><div><br></div></div></div>