SERVFAIL on hostname via Google Public DNS

Philip G

unread,

Mar 16, 2016, 4:00:57 PM3/16/16

to public-dns-discuss

We're running into an issue trying to resolve our domain blog.lemonaidhealth.com after implemented DNSSEC. It only happens using Google's DNS Servers. I've ran a flush on blog.lemonaidhealth.com and lemonaidhealth.com. Nothing is working. We've contacted GoDaddy on this and their reply is it's "definitely not GoDaddy", contact Google.

** server can't find blog.lemonaidhealth.com: SERVFAIL.

gp@localhost:~$ nslookup -debug -type=A blog.lemonaidhealth.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

------------
QUESTIONS:
blog.lemonaidhealth.com, type = A, class = IN
ANSWERS:
AUTHORITY RECORDS:
ADDITIONAL RECORDS:
------------
** server can't find blog.lemonaidhealth.com: SERVFAIL

gp@localhost:~$ nslookup -debug -type=A blog.lemonaidhealth.com PDNS07.DOMAINCONTROL.COM
Server: PDNS07.DOMAINCONTROL.COM
Address: 2607:f208:207::35#53

------------
QUESTIONS:
blog.lemonaidhealth.com, type = A, class = IN
ANSWERS:
-> blog.lemonaidhealth.com
internet address = 184.168.47.225
ttl = 600
AUTHORITY RECORDS:
-> blog.lemonaidhealth.com
nameserver = pdns08.domaincontrol.com.
ttl = 3600
-> blog.lemonaidhealth.com
nameserver = pdns07.domaincontrol.com.
ttl = 3600
ADDITIONAL RECORDS:
------------
Name: blog.lemonaidhealth.com
Address: 184.168.47.225

### OPEN DNS
gp@localhost:~$ nslookup -debug -type=A blog.lemonaidhealth.com 208.67.220.220
Server: 208.67.220.220
Address: 208.67.220.220#53

------------
QUESTIONS:
blog.lemonaidhealth.com, type = A, class = IN
ANSWERS:
-> blog.lemonaidhealth.com
internet address = 184.168.47.225
ttl = 600
AUTHORITY RECORDS:
ADDITIONAL RECORDS:
------------
Non-authoritative answer:
Name: blog.lemonaidhealth.com
Address: 184.168.47.225

Alexander Dupuy

unread,

Mar 16, 2016, 4:18:07 PM3/16/16

to Philip G, public-dns-discuss

Not Google's fault either, as DNSViz gives you a DNSSEC fail for your configuration: http://dnsviz.net/d/blog.lemonaidhealth.com/dnssec/ as does Verisign's public validating resolver:

$ dig blog.lemonaidhealth.com @64.6.64.6

; <<>> DiG 9.10.2 <<>> blog.lemonaidhealth.com @64.6.64.6

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52434

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;blog.lemonaidhealth.com. IN A

;; Query time: 2254 msec

;; SERVER: 64.6.64.6#53(64.6.64.6)

;; WHEN: Wed Mar 16 16:08:56 EDT 2016

;; MSG SIZE rcvd: 52

In this case, your problem seems to be that you created a separate zone for blog.lemonaidhealth.com within lemonaidhealth.com, but both zones are hosted at the same domaincontrol.com (GoDaddy) resolvers:

$ dig +cd +noall +answer ns blog.lemonaidhealth.com @8.8.8.8

blog.lemonaidhealth.com. 2829 IN NS pdns08.domaincontrol.com.

blog.lemonaidhealth.com. 2829 IN NS pdns07.domaincontrol.com.

$ dig +cd +noall +answer ns lemonaidhealth.com @8.8.8.8

lemonaidhealth.com. 3599 IN NS pdns08.domaincontrol.com.

lemonaidhealth.com. 3599 IN NS pdns07.domaincontrol.com.

This sort of quasi-delegation can sort of work with non-DNSSEC-secured domains, but even with authoritative nameservers that do the right thing most of the time, you will occasionally get problems if DNSSEC is enabled (see https://groups.google.com/d/msg/public-dns-discuss/nBHFqx7goOQ/cWQI28MBGQAJ for another example), and with your configuration and the GoDaddy authoritative servers, which return neither a DS record for the blog.lemonaidhealth.com child zone nor an NSEC/NSEC3 validating the non-existence of the DS, you will get 100% failure from any DNSSEC-validating resolver.

@alex

Bryan Price

unread,

Mar 16, 2016, 6:36:11 PM3/16/16

to Philip G, public-dns-discuss

On Wed, Mar 16, 2016 at 2:07 PM, Philip G <g...@gpcentre.net> wrote:

We're running into an issue trying to resolve our domain blog.lemonaidhealth.com after implemented DNSSEC. It only happens using Google's DNS Servers. I've ran a flush on blog.lemonaidhealth.com and lemonaidhealth.com. Nothing is working. We've contacted GoDaddy on this and their reply is it's "definitely not GoDaddy", contact Google.

** server can't find blog.lemonaidhealth.com: SERVFAIL.

http://dnsviz.net/d/blog.lemonaidhealth.com/dnssec/

Your DNSSEC is NOT set correctly. This also fails on Comcast's and Verisign's security checking DNS.

So, it's not Google (or Comcast or Verisign).

Philip G

unread,

Mar 16, 2016, 6:38:28 PM3/16/16

to public-dns-discuss, g...@gpcentre.net

On Wednesday, March 16, 2016 at 3:36:11 PM UTC-7, bytehead wrote:

http://dnsviz.net/d/blog.lemonaidhealth.com/dnssec/

Your DNSSEC is NOT set correctly. This also fails on Comcast's and Verisign's security checking DNS.

So, it's not Google (or Comcast or Verisign).

Thanks for all the info. We're going back to GoDaddy and telling them "it's definitely you."

Philip

Message has been deleted

Bryan Price

unread,

Mar 17, 2016, 9:40:48 AM3/17/16

to dream...@gmail.com, public-dns-discuss

On Wed, Mar 16, 2016 at 11:58 PM, <dream...@gmail.com> wrote:

We're running into an issue trying to resolve our domain ifantasystudio.com . It only happens using Google's DNS Servers. I've ran a flush on ifantasystudio.com. Nothing is working.

DNSSEC errors. Doesn't work with 75.75.75.75 or 64.6.64.6 either.

Reply all

Reply to author

Forward