dnssec resolve lsqzj.net on Google public DNS server fail, but other has not this problem

[chen yulong]

request lsqzj.net DNSKEY
{
  "Status": 2 /* SERVFAIL */,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": false,
  "CD": false,
  "Question": [
    {
      "name": "lsqzj.net.",
      "type": 48 /* DNSKEY */
    }
  ],
  "Comment": "DNSSEC validation failure. Check http://dnsviz.net/d/lsqzj.net/dnssec/ and http://dnssec-debugger.verisignlabs.com/lsqzj.net for errors",
  "extended_dns_errors": [
    {
      "info_code": 6,
      "extra_text": "RRSIG with malformed signature found for lsqzj.net/dnskey (keytag=35318)"
    }
  ]
}

Check http://dnsviz.net/d/lsqzj.net/dnssec/ and http://dnssec-debugger.verisignlabs.com/lsqzj.net had no errors and warning

Other public dns server result is right. for example

C:\Users\shoot>dig lsqzj.net +dnssec @1.1.1.1 -t dnskey +short
256 3 13 MYDAAEgB4tMcB1HfJCEOG8yooNnJ/K0kB0Sl6dVQg14rT6cSCwraL5+C hF+OjNxo6aZhiV1A0nN4TALFwpU8jQ==
257 3 13 D9NmHuXWSB9AYoZP6PLvNEiy+PE/zmanzmV73mWP+UIukuaBw37Qvy6p IQ4rSbqhG1IWZxp11t0KNA93tJjhsQ==
DNSKEY 13 2 3600 20740516052451 20240528052451 35318 lsqzj.net. Lf5JZhLGNqDREgoIhUdRLeXyyRBzZdfKq9ye4UvQkcWVAX1C52jWXJc8 ywRvUsPHfuruzenFNX+3PZ3UbIdtoQ==

C:\Users\shoot>dig lsqzj.net +dnssec @4.2.2.4 -t dnskey +short
256 3 13 MYDAAEgB4tMcB1HfJCEOG8yooNnJ/K0kB0Sl6dVQg14rT6cSCwraL5+C hF+OjNxo6aZhiV1A0nN4TALFwpU8jQ==
257 3 13 D9NmHuXWSB9AYoZP6PLvNEiy+PE/zmanzmV73mWP+UIukuaBw37Qvy6p IQ4rSbqhG1IWZxp11t0KNA93tJjhsQ==
DNSKEY 13 2 3600 20740516052451 20240528052451 35318 lsqzj.net. zA25LPbGz9TaRvkMPZKudLVi3TpPqebqkr6LQJva3FWgJ4KTy/jQ189Y QscyOohVjbGaghotE7aQKUgvvXDDiw==

C:\Users\shoot>dig lsqzj.net +dnssec @9.9.9.9 -t dnskey +short
256 3 13 MYDAAEgB4tMcB1HfJCEOG8yooNnJ/K0kB0Sl6dVQg14rT6cSCwraL5+C hF+OjNxo6aZhiV1A0nN4TALFwpU8jQ==
257 3 13 D9NmHuXWSB9AYoZP6PLvNEiy+PE/zmanzmV73mWP+UIukuaBw37Qvy6p IQ4rSbqhG1IWZxp11t0KNA93tJjhsQ==
DNSKEY 13 2 3600 20740516052451 20240528052451 35318 lsqzj.net. LYWN83EwadvVkdI+jK4KmVA7oyqoJDH9tGtjgTJSqFgF8ve0F0CqAVBz uQ4qL8/pDKXMNI55neUSsKgAGbq5rg==

C:\Users\shoot>dig lsqzj.net +dnssec @208.67.222.222 -t dnskey +short
256 3 13 MYDAAEgB4tMcB1HfJCEOG8yooNnJ/K0kB0Sl6dVQg14rT6cSCwraL5+C hF+OjNxo6aZhiV1A0nN4TALFwpU8jQ==
257 3 13 D9NmHuXWSB9AYoZP6PLvNEiy+PE/zmanzmV73mWP+UIukuaBw37Qvy6p IQ4rSbqhG1IWZxp11t0KNA93tJjhsQ==
DNSKEY 13 2 3600 20740516052451 20240528052451 35318 lsqzj.net. t6bl+drjnhwOUKOKYdzP28ox0qKNnHypruPzYsfMqeyeKVRnaa3jEiNB xExuyrFqnw31fLW/Z9Z58osa5fTBlw==

C:\Users\shoot>dig lsqzj.net +dnssec @216.146.35.35 -t dnskey +short
257 3 13 D9NmHuXWSB9AYoZP6PLvNEiy+PE/zmanzmV73mWP+UIukuaBw37Qvy6p IQ4rSbqhG1IWZxp11t0KNA93tJjhsQ==
256 3 13 MYDAAEgB4tMcB1HfJCEOG8yooNnJ/K0kB0Sl6dVQg14rT6cSCwraL5+C hF+OjNxo6aZhiV1A0nN4TALFwpU8jQ==
DNSKEY 13 2 3600 20740516052451 20240528052451 35318 lsqzj.net. I0bGTXorcASPmtC5j9uru9SL6XLkLh/RvNZHVHWOtB42NVxUBA5C+1/I zDL4wjc3K94Q5Tp4IWRvLbNaFYZmvg==

C:\Users\shoot>dig lsqzj.net +dnssec @8.8.8.8 -t dnskey +short

C:\Users\shoot>dig lsqzj.net +dnssec @8.8.8.8 -t dnskey

; <<>> DiG 9.17.12 <<>> lsqzj.net +dnssec @8.8.8.8 -t dnskey
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38162
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; EDE: 6 (DNSSEC Bogus): (RRSIG with malformed signature found for lsqzj.net/dnskey (keytag=35318))
;; QUESTION SECTION:
;lsqzj.net.                     IN      DNSKEY

;; Query time: 228 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed May 29 15:33:54 ;; MSG SIZE  rcvd: 116


Thanks for you helps.

[Peter Safwat]

DNS delivers secure and resilient DNS service with the fastest response time (11ms on average), unparalleled redundancy (locations in over 330 cities), and advanced security.



BENEFITS OF CLOUDFLARE DNS
Lightning bolt icon
Industry-leading performance
Our authoritative DNS is the fastest in the world, offering DNS lookup speeds of 11ms on average and ensuring websites load as fast as possible.

Rotating arrows icon
Unmatched reliability
Our global network offers optimal redundancy, with DNS resolution available at each of our data centers across over 330 cities.

Padlock icon
Stop DNS-based attacks
Cloudflare offers built-in DDoS protection and one-click DNSSEC to ensure your applications are always safeguarded from DNS attacks.


DNS made easy
All your domains can be managed through our user-friendly interface or via an API, without regard to where you host your Internet properties.

Unlimited and unmetered DDoS mitigation

Stop attacks on your DNS by relying on our network, which has capacity 23x higher than the largest attacks ever recorded.Fast, Easy-to-use DNS

---

Unmetered DDoS Protection

---

Role-based Account Control

---

Free Managed Ruleset

---

Bot Mitigation

Simple bots

More advanced bots

Sophisticated bots and basic bot analytics

All bots, anomaly detection, custom CAPTCHAs & threat response, advanced bot analytics, and more

---

Cloudflare Rules

Up to 65 rules

Up to 155 rules

Up to 310 rules

Up to 760 rules

---

Layer-3 Network DDoS protection with Magic Transit*

Custom Pricing

---

Network Prioritization

---

Support Options

Community forums and documentation

Tickets + Community Forums

Tickets + Chat + Community Forums

24x7x365 Tickets + Chat + Phone + Community Forums

Prevent email phishing

Easily configure email security DNS records to stop phishers from sending emails from your domain.

Advanced DNS analytics

Get in-depth, real-time analytics for the health of your DNS traffic, accessible from the Cloudflare Dashboard.

HOW IT WORKS
Our global network ensures DNS resolves quickly
The Cloudflare global network interconnects with over 12,500 networks, ensuring users anywhere in the world can quickly load your websites and applications.

 DNS also comes with built-in security, mitigating DDoS attacks that can degrade response times and authenticating DNS responses with DNSSEC to ensure users are not misdirected to malicious websites.