DNSSEC FAILS for the domain anamnese.me

40 views
Skip to first unread message

rap...@anamnese.me

unread,
Jun 28, 2019, 7:22:42 AM6/28/19
to public-dns-discuss
Hi

I followed the diagnostic tutorials and it seems that there is an issue with DNSSEC validation google DNS.

Could you help me with this issue ?

Thanks
RC

➜  ~ dig @8.8.8.8 anamnese.me

; <<>> DiG 9.10.6 <<>> @8.8.8.8 anamnese.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:

;; Query time: 104 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 28 12:14:39 CEST 2019
;; MSG SIZE  rcvd: 40


➜  ~ dig @8.8.8.8 www.anamnese.me. +cd

; <<>> DiG 9.10.6 <<>> @8.8.8.8 www.anamnese.me. +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52751
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:

;; ANSWER SECTION:
www.anamnese.me. 3599 IN A 54.38.173.162

;; Query time: 118 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 28 12:14:54 CEST 2019
;; MSG SIZE  rcvd: 60


➜  ~ dig anamnese.me. @4.2.2.1

; <<>> DiG 9.10.6 <<>> anamnese.me. @4.2.2.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43438
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:

;; ANSWER SECTION:
anamnese.me. 3600 IN A 54.38.173.162

;; Query time: 112 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Fri Jun 28 12:15:17 CEST 2019
;; MSG SIZE  rcvd: 56

rap...@anamnese.me

unread,
Jun 28, 2019, 12:38:34 PM6/28/19
to public-dns-discuss
For now I deactivated the DNSSEC thus the google dns can now resolve my servername.
Still there is a flaw somewhere.

Alex Dupuy

unread,
Jun 28, 2019, 2:47:24 PM6/28/19
to public-dns-discuss
Please see https://issuetracker.google.com/issues/136270751

From the OVH public documentation, it does not appear that they provide a way for the domain owner to select a different DNSKEY algorithm.

We will contact OVH to see if they can switch their implementation to use a DNSSEC algorithm for signing zones that the RFC standards do not say you "MUST NOT" use.

Reply all
Reply to author
Forward
0 new messages