Hi,
The Google Public DNS servers are currently returning SERVFAIL responses for subdomains of .gov.au
The .gov.au was recently signed (
https://www.dta.gov.au/blogs/signing-govau-zone ) so I suspect this may be related.
Disabling DNSSEC results in a successful query
example queries:
WIth DNSSEC
$ dig @
8.8.8.8 www.health.nsw.gov.au; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @
8.8.8.8 www.health.nsw.gov.au; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48552
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;
www.health.nsw.gov.au. IN A
;; Query time: 267 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 07 20:35:31 AEST 2019
;; MSG SIZE rcvd: 50
WITHOUT DNSSEC
$ dig @
8.8.8.8 +cd
www.health.nsw.gov.au; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @
8.8.8.8 +cd
www.health.nsw.gov.au; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28695
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;
www.health.nsw.gov.au. IN A
;; ANSWER SECTION:
www.health.nsw.gov.au. 0 IN CNAME
health.nsw.gov.au.
health.nsw.gov.au. 299 IN A 202.58.231.80
;; Query time: 268 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 07 20:35:47 AEST 2019
;; MSG SIZE rcvd: 80
Similar responses are seen for
www.health.vic.gov.au and
www.health.qld.gov.auNo DS records exist for
nsw.gov.au ,
vic.gov.au or
qld.gov.au so my expectation would be that the google servers shouldn't perform DNSSEC validation when querying these domains.
A web query at the following URL confirms DNSSEC validation as an issue
{
"Status": 2,
"TC": false,
"RD": true,
"RA": true,
"AD": false,
"CD": false,
"Question": [
{
"name": "www.health.nsw.gov.au.",
"type": 1
}
],
"Comment": "DNSSEC validation failure. Check http://dnsviz.net/d/www.health.nsw.gov.au/dnssec/ and http://dnssec-debugger.verisignlabs.com/www.health.nsw.gov.au for errors"
}
Problem doesn't exist on other public DNS services such as Cloudflare, OpenDNS etc