Google DNS (8.8.8.8 & 8.8.4.4) Returns wrong NSEC answer for my domain!

69 views
Skip to first unread message

Pekka Panula

unread,
Oct 1, 2019, 9:39:36 AM10/1/19
to public-dns-discuss
Hi

Google DNS gives wierd NSEC result for my domain aluekouluttaja.fi

Result for aluekouluttaja.fi/NSEC with DNSSEC validation:

{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "aluekouluttaja.fi.",
      "type": 47
    }
  ],
  "Answer": [
    {
      "name": "aluekouluttaja.fi.",
      "type": 47,
      "TTL": 3599,
      "data": "_sipfederationtls._tcp.aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY"
    }
  ],
  "Comment": "Response from 213.250.93.67."
}

As you can see Answer data is: "data": "_sipfederationtls._tcp.aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY"
But it should be: "data": "aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY"

I have checked with different validation services but they all say my zone & dnssec is OK, no problems.

When i query DNS from my DNS servers i got correct answer for NSEC, it just seems Google DNS has this problem.

Any ideas whats causing this?

Jon Horovitz

unread,
Oct 1, 2019, 10:15:53 AM10/1/19
to public-dns-discuss
Hi,

When I query your nameserver, I get the same result, so I think this is working correctly:

$ dig aluekouluttaja.fi. NSEC @213.250.93.67

; <<>> DiG 9.10.6 <<>> aluekouluttaja.fi. NSEC @213.250.93.67
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7670
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:

;; ANSWER SECTION:
aluekouluttaja.fi. 3600 IN NSEC _sipfederationtls._tcp.aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY

;; Query time: 118 msec
;; SERVER: 213.250.93.67#53(213.250.93.67)
;; WHEN: Tue Oct 01 10:14:49 EDT 2019
;; MSG SIZE  rcvd: 109

Pekka Panula

unread,
Oct 1, 2019, 1:47:25 PM10/1/19
to public-dns-discuss
Hi

Ah, you are correct, it was my compare script that, i assume, was getting some (old) dns NSEC record.
I didn't completely understand whole NSEC record, but looking for more documentation i get it now, so there is no problem with Google DNSes.
It was just my DNS check script problem, where i do check zone against google dns.

Thx!
Reply all
Reply to author
Forward
0 new messages