DNSSEC Issue Resolving .gov.au subdomains
52 views
Skip to first unread message
benb...@gmail.com
Apr 8, 2019, 9:31:47 AM4/8/19
to public-dns-discuss
Hi,
The Google Public DNS servers are currently returning SERVFAIL responses for subdomains of .gov.au
The .gov.au was recently signed ( https://www.dta.gov.au/blogs/signing-govau-zone ) so I suspect this may be related.
Disabling DNSSEC results in a successful query
example queries:
WIth DNSSEC
$ dig @8.8.8.8 www.health.nsw.gov.au
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 www.health.nsw.gov.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48552
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.health.nsw.gov.au. IN A
;; Query time: 267 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 07 20:35:31 AEST 2019
;; MSG SIZE rcvd: 50
WITHOUT DNSSEC
$ dig @8.8.8.8 +cd www.health.nsw.gov.au
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 +cd www.health.nsw.gov.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28695
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.health.nsw.gov.au. IN A
;; ANSWER SECTION:
www.health.nsw.gov.au. 0 IN CNAME health.nsw.gov.au.
health.nsw.gov.au. 299 IN A 202.58.231.80
;; Query time: 268 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 07 20:35:47 AEST 2019
;; MSG SIZE rcvd: 80
Similar responses are seen for www.health.vic.gov.au and www.health.qld.gov.au
No DS records exist for nsw.gov.au , vic.gov.au or qld.gov.au so my expectation would be that the google servers shouldn't perform DNSSEC validation when querying these domains.
The Google Public DNS servers are currently returning SERVFAIL responses for subdomains of .gov.au
The .gov.au was recently signed ( https://www.dta.gov.au/blogs/signing-govau-zone ) so I suspect this may be related.
Disabling DNSSEC results in a successful query
example queries:
WIth DNSSEC
$ dig @8.8.8.8 www.health.nsw.gov.au
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 www.health.nsw.gov.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48552
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.health.nsw.gov.au. IN A
;; Query time: 267 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 07 20:35:31 AEST 2019
;; MSG SIZE rcvd: 50
WITHOUT DNSSEC
$ dig @8.8.8.8 +cd www.health.nsw.gov.au
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 +cd www.health.nsw.gov.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28695
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.health.nsw.gov.au. IN A
;; ANSWER SECTION:
www.health.nsw.gov.au. 0 IN CNAME health.nsw.gov.au.
health.nsw.gov.au. 299 IN A 202.58.231.80
;; Query time: 268 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 07 20:35:47 AEST 2019
;; MSG SIZE rcvd: 80
Similar responses are seen for www.health.vic.gov.au and www.health.qld.gov.au
No DS records exist for nsw.gov.au , vic.gov.au or qld.gov.au so my expectation would be that the google servers shouldn't perform DNSSEC validation when querying these domains.
A web query at the following URL confirms DNSSEC validation as an issue
{
"Status": 2,
"TC": false,
"RD": true,
"RA": true,
"AD": false,
"CD": false,
"Question": [
{
"name": "www.health.nsw.gov.au.",
"type": 1
}
],
"Comment": "DNSSEC validation failure. Check http://dnsviz.net/d/www.health.nsw.gov.au/dnssec/ and http://dnssec-debugger.verisignlabs.com/www.health.nsw.gov.au for errors"
}
Problem doesn't exist on other public DNS services such as Cloudflare, OpenDNS etc
Alex Dupuy
Apr 8, 2019, 11:42:10 AM4/8/19
to public-dns-discuss
Thanks for your report.
This issue is being handled at our public issue tracker: https://issuetracker.google.com/issues/130107674.
We are rolling out a workaround that will disable DNSSEC validation for these as yet insecurely delegated domains:
When this is effective worldwide (expected by 2019-04-09 23:00 UTC), it will prevent the problems seen on Sunday for delegated subdomains of those domains when DNSSEC signing is enabled for the domains (but they are not themselves securely delegated by DS records in the gov.au zone).
We are also working on a fix to the bug in our DNSSEC validator that would incorrectly return validation failures for delegations like these in general.
We will provide further updates in the issue tracker only.
Alex Dupuy
Apr 8, 2019, 11:56:09 AM4/8/19
to public-dns-discuss
I (mistakenly) wrote:
When this [workaround] is effective worldwide (expected by 2019-04-09 23:00 UTC)
That should have been "expected by 2019-04-08 23:00 UTC" – in other words, within about seven hours from now.
Andrzej Swietek
Apr 8, 2019, 12:08:55 PM4/8/19
to benb...@gmail.com, public-dns-discuss
√vandrzejs-air:~ rozalia$ dig @8.8.8.8 www.health.nsw.gov.au
; <<>> DiG 9.10.6 <<>> @8.8.8.8 www.health.nsw.gov.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60162
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.health.nsw.gov.au. IN A
;; ANSWER SECTION:
www.health.nsw.gov.au. 299 IN CNAME health.nsw.gov.au.;; Query time: 384 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 08 17:44:36 CEST 2019
;; MSG SIZE rcvd: 80> --
> You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.
> To post to this group, send email to public-dn...@googlegroups.com.
> Visit this group at https://groups.google.com/group/public-dns-discuss.
> To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/0e0b1652-8f79-46b1-a2b2-92d63731b713%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
; <<>> DiG 9.10.6 <<>> @8.8.8.8 www.health.nsw.gov.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.health.nsw.gov.au. IN A
;; ANSWER SECTION:
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 08 17:44:36 CEST 2019
;; MSG SIZE rcvd: 80
> You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.
> To post to this group, send email to public-dn...@googlegroups.com.
> Visit this group at https://groups.google.com/group/public-dns-discuss.
> To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/0e0b1652-8f79-46b1-a2b2-92d63731b713%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
Reply all
Reply to author
Forward
0 new messages