Unable to resolve keeex.me
44 views
Skip to first unread message
cley...@gmail.com
Apr 18, 2019, 10:04:04 AM4/18/19
to public-dns-discuss
Hi,
One of our domain is not resolved by Google public DNS. It does work when disabling DNSSEC, however there doesn't seem to be a problem here on our end, and other resolvers do work.
- The date and time you encountered the problem
2019-04-18T13:38:12.571Z - Your location
France - The platform on which you are noticing the problem (e.g. Mac, Windows, router, etc.): multiple, confirmed on Linux and Windows PCs
- The hostname(s) for which you are having a problem:
keeex.me
(also happens on subdomains) - Whether the problem is continuous or intermittent: the problem have persisted for at least a few days now
- The links to the tools' name server diagnosis report page:
https://intodns.com/keeex.me - The output of the commands you ran in the diagnostic tests
15:43 $ traceroute -n -w 2 -q 2 -m 30 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.0.1.1 1.359 ms 1.649 ms
2 172.17.24.254 21.162 ms 21.182 ms
3 77.129.29.106 23.210 ms 77.129.29.107 23.206 ms
4 77.154.127.153 25.220 ms 77.154.127.157 25.226 ms
5 77.154.127.102 25.306 ms 77.154.115.133 28.178 ms
6 77.154.127.101 25.114 ms 25.084 ms
7 77.154.115.133 28.108 ms 28.084 ms
8 109.5.247.249 24.979 ms 108.170.244.193 26.450 ms
9 72.14.218.124 27.011 ms 26.771 ms
10 8.8.8.8 23.347 ms 108.170.245.1 24.641 ms
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15520
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;keeex.me. IN A
;; Query time: 42 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Apr 18 15:43:54 CEST 2019
;; MSG SIZE rcvd: 37
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9484
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;keeex.me. IN A
;; ANSWER SECTION:
keeex.me. 59 IN A 188.165.84.153
;; Query time: 39 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Apr 18 15:44:59 CEST 2019
;; MSG SIZE rcvd: 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50209
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;keeex.me. IN A
;; ANSWER SECTION:
keeex.me. 60 IN A 188.165.84.153
;; Query time: 49 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Thu Apr 18 15:45:36 CEST 2019
;; MSG SIZE rcvd: 53
Cley Faye
Apr 18, 2019, 12:03:27 PM4/18/19
to and...@swietek.com, public-dns-discuss
I'm not sure what you mean with that. Sorry, I'm not the guy that usually handle this.
Looking at http://dnsviz.net/d/keeex.me/dnssec/ it seems to me that all the keys in the chain are ok. Beyond that I'll have to ask our provider.
What seemed weird to me is that it works everywhere else, and even used to work fine with google's dns.
Le jeu. 18 avr. 2019 à 17:31, Andrzej Swietek <andrzej....@gmail.com> a écrit :
Do you have the keys registered at the root dns server where your domain is registered?
> --
> You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.
> To post to this group, send email to public-dn...@googlegroups.com.
> Visit this group at https://groups.google.com/group/public-dns-discuss.
> To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/76a79399-ecc3-402f-b8b1-f5110a8d2764%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
Cley Faye
Apr 18, 2019, 2:58:22 PM4/18/19
to and...@swietek.com, public-dns-discuss
As I said, everything seems to be in order except from Google DNS point of view.
The DNSSEC configuration and registration are handled by our provider, and works fine.
Various DNSSEC checking tool (including dnsviz.net, the verisign dnssec analyzer and https://zonemaster.iis.se/?resultid=103fa65fe49a56a6) are able to perform all checks, including checking keys and signatures.
Other DNS provider that do DNSSEC validation works except for Google DNS.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16130
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
I tried Quad9 (above), Verisign (64.6.64.6), Cloudflare (1.1.1.1 and 1.0.0.1) and other. All give the same result except 8.8.8.8 and 8.8.4.4.
Unless you're telling me none of these provider actually implement DNSSEC validation, I doubt I can do much more.
Le jeu. 18 avr. 2019 à 18:47, Andrzej Swietek <andrzej....@gmail.com> a écrit :
You must added dns keys to the root server at the root level!
Chains is broken when you do dns query against google dns servers because the problem you experience with this google is setup correctly to do dnssec validation from the root level all the way to your autherative dns servers
keeex.me. 3600 IN NS dns106.ovh.net.
keeex.me. 3600 IN NS ns106.ovh.net.
for your domain
cley...@gmail.com
Apr 19, 2019, 4:21:25 AM4/19/19
to public-dns-discuss
Problem "solved" itself today without intervention on our end.
Reply all
Reply to author
Forward
0 new messages