SERVFAIL when requesting AAAA record for domain with DNSSEC validation.

arjen...@parse.nl

unread,

May 23, 2016, 10:54:57 AM5/23/16

to public-dns-discuss

Domain does not have IPv6 configured, but DNS query should return with NOERROR and empty result?

Google DNS with DNSSEC disabled (+cd) works correctly, same for @2001:4860:4860::8888:

dig @8.8.4.4 www.yourzs.nl AAAA +cd

; <<>> DiG 9.10.4 <<>> @8.8.4.4 www.yourzs.nl AAAA +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8642
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.yourzs.nl. IN AAAA

;; AUTHORITY SECTION:
yourzs.nl. 1799 IN SOA nszero1.axc.nl. hostmaster.yourzs.nl. 2016050400 14400 3600 1209600 86400

;; Query time: 13 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Mon May 23 14:27:39 CEST 2016
;; MSG SIZE rcvd: 101

Google DNS with DNSSEC fails with SERVFAIL, same for @2001:4860:4860::8888:

dig @8.8.4.4 www.yourzs.nl AAAA

; <<>> DiG 9.10.4 <<>> @8.8.4.4 www.yourzs.nl AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49525
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.yourzs.nl. IN AAAA

;; Query time: 13 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Mon May 23 14:29:16 CEST 2016
;; MSG SIZE rcvd: 42

OpenDNS and Level 3 works fine with both DNSSEC enabled and disabled:

dig @208.67.220.220 www.yourzs.nl AAAA

; <<>> DiG 9.10.4 <<>> @208.67.220.220 www.yourzs.nl AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54296
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yourzs.nl. IN AAAA

;; AUTHORITY SECTION:
yourzs.nl. 2462 IN SOA nszero1.axc.nl. hostmaster.yourzs.nl. 2016050400 14400 3600 1209600 86400

;; Query time: 2 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Mon May 23 14:30:48 CEST 2016
;; MSG SIZE rcvd: 112

Both http://www.intodns.com/yourzs.nl and http://dnsviz.net/d/www.yourzs.nl/dnssec/ dont report any problems.

Any ideas?

Arjen

Shen Wan

unread,

May 23, 2016, 11:37:43 AM5/23/16

to public-dns-discuss, arjen...@parse.nl

Only the A record is signed: http://dnsviz.net/d/www.yourzs.nl/dnssec/

Alex Dupuy

unread,

May 23, 2016, 7:33:03 PM5/23/16

to public-dns-discuss, arjen...@parse.nl

On Monday, May 23, 2016 at 10:54:57 AM UTC-4, arjen...@parse.nl wrote:

Domain does not have IPv6 configured, but DNS query should return with NOERROR and empty result?

Both http://www.intodns.com/yourzs.nl and http://dnsviz.net/d/www.yourzs.nl/dnssec/ dont report any problems.

Any ideas?

OpenDNS and Level 3 don't validate DNSSEC (i.e. they always respond as if CD bit were set) - a better cross-check for Google Public DNS is Verisign Public DNS (@64.6.64.6), which also validates DNSSEC.

It seems to be working now at Google Public DNS, not sure what was causing that failure.

Reply all

Reply to author

Forward