The DS record for gu.edu does not have a matching self signed DNSKEY record. The DS record is for keyid 3078. There are no DNSKEY records with that keyid nor signatures generated with that keyid for the DNSKEY rrset.
I suspect a botched KSK key rollover. Mark ; <<>> DiG 9.11.0pre-alpha <<>> ds gu.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1308 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;gu.edu. IN DS ;; ANSWER SECTION: gu.edu. 86083 IN DS 3078 7 1 B4C9FB14D6519C3ECE5CC43E80C463D5847D73ED ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jul 02 21:01:54 EST 2014 ;; MSG SIZE rcvd: 71 ; <<>> DiG 9.11.0pre-alpha <<>> +dnssec +rrcomments dnskey gu.edu @141.161.200.28 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19143 ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;gu.edu. IN DNSKEY ;; ANSWER SECTION: gu.edu. 86400 IN DNSKEY 257 3 7 AwEAAb6JcEZnTcIg2P2yv7uIBG8F8ZNOFh1EzJHp2OlYnNZL70KufziL Xye72PEeCoMKCArnw3vH/7zV9SvFfFsfaEEAPDwASUYs4kGlP0IJ297C hm9x1b+vQ+tMIbGhf8z9qGqFqT/N63EGcN5Wl6B9JhFrWWZIw/7hpX6Y GSNM9fHgE79O363FOQNnUk4tUkaPSKhBZRh4jYtGKCcFt0Sc0SiDjdz1 vPhzzq2p2XklLijHUAOHfuMFfDSUFu5/8JOz84CvtGhjpoSAJ7MffcTz M9Luzk9/DkvDoteK3VHtn90vZoOea/V8CbNWX2i7S0keZQ7f9SmMg3PE gRXue/kZVnE= ; KSK; alg = NSEC3RSASHA1; key id = 39339 gu.edu. 86400 IN DNSKEY 257 3 7 AwEAAa2FnxIFT7YpOPNV6VLfpzWCh5W5Fo9zsvA1zI4psLtj//c2Xrwy UFsCYktsIVnGD8mElKXq1w1zfxeo8xudMrS2v7QQmVnioF84rFHhh+CR RVPd+8DKD+hVSQVfUfticewC9DBLLrDSuprxFIZt8VHUn3vzTN9zYK45 /dGGSOXCN8Pj7kXvhLSOYy3WjKwLK84j+gr3jTytH9gsaRTl9FrOskB+ pyYqOOro4UolRa5aPYv2BVqENYgauuowfghSqObpWATIpLCujpm5SBRX IfW4veFKIfhBlNoHLG/iQKmcrj8DAtEe8ZTNJt2GNhn8dt+J7IJOSaYb QUGRzzZ9//0= ; KSK; alg = NSEC3RSASHA1; key id = 35043 gu.edu. 86400 IN DNSKEY 256 3 7 AwEAAb/7TwBkoZFMtAzV7MrojlnEM52p43LGGbm2XyaxrZYZ2dgO6aFv GZKUkzTDKn6a0Ko3qDL71uxAVdqInARg2DDv1mjC1ONS8axhu2T4clIb wUE9R0sWKW+AzlX048bC7yFfolhg8bocnrbBLe4ED8zJw4TGHEW1PoDH DMGgXmB4ZP/UP7FBOPOMbAk0/dGKjiiRBezF3i8GmQ2w9sZB5Y9ns+uE N3BqJE5rM21kNw/KB8GCfhiDqI4jsq8w3EQ3gM/slbdHFl3oUbaEho2B ZMpmQ+lRwEVG2XBGrxwMxU4gKhmS6anPAywBjMl/I+49FgqV2FtNcCIl sHJZQkqKrX8= ; ZSK; alg = NSEC3RSASHA1; key id = 38702 gu.edu. 86400 IN DNSKEY 256 3 7 AwEAAbk4F64sFJvk8JEtpOW2sa/8No8f5MNT4N1qQaXZHfhobBKw8Jb7 JxNQqGLhmCnzHXMXS28zMx00YsgTUV90rE0fAY6d6pA5khO4Fq+nTLyS jbLeGozYFsLRvr3WnAc1j3Htsuo7phZWb/rAxe0KvVT6oV0JnGptflGh GjFTlFAIQiO4RldyVEOSk9pu9vZAGc75318JREcdez9QI1GM6yxT9qgh H1WrRHSBA/Mn3CitLMgIgatZ7N4tkclH+P0lphWPrREumIC9Il5ZAi6e Ayh/BSMpcpugPX03dXHssVRJEKXC6h6JoP7W1ZL4i4K6coLF+6QmXxjn N+GILy70XzU= ; ZSK; alg = NSEC3RSASHA1; key id = 25247 gu.edu. 86400 IN RRSIG DNSKEY 7 2 86400 20140705183107 20140628183107 39339 gu.edu. V90hsL73pY7thRDBFUICo5M/m46+nvR8nSkC7FCjSSCK6ZVuwIO2GoPV ytvmX9zVLcVZmgkP/a3nyV79ENN76j1RGhTrJLq8ekD6fl7P4djk66sB yrMiyijY8dr6CcuVVp1LnMzgDACSyPMoWnmsXEAX2zxgCJxN1FKm3INM AzEL8d/AThWG2fRTww6whQlISKYkvuN9zflK4qxUsucshccmimQj0799 7GjQh50yUYhjVOFdYdiyU3q/MtHOmjMOL7bnmquiBvXC39Qan2+e1Kys CT17b4zWUYy54qF6hEejafCsrsTy6jZIk5aXGhqA1LG/mqPI1gt74Bpu 2JI+WQ== gu.edu. 86400 IN RRSIG DNSKEY 7 2 86400 20140705183107 20140628183107 35043 gu.edu. Im5/h/K08KpcnZIXKXjTBTshEYTjMdeZeCx1qgVzhRq5jQs9ERXG8wzn Plvs809SGTuvHbSBqoziCw7eWbGhlDthj1sc7AzAr22lGRRZB7KuKJx6 BbyGRSCcte2cbec03tzf4axFIjV/AWUKPVwZz+FyLjlE8M+1m+9wf1rd RAC/sHyeRIk+UgMzbxfu4NtP+obeh3QK00acFSWzGq/GOvijub8AiD40 tMAl8eszWhi6nvRgXgCIbrILJscL0dVZVgUxe4wdJPM9l0t97y8D8/jA 8RWFSETipEgN9x1SK9OBjCA0+e7Xb1GL5u2XvgZ+47I6t5fI9a2aCTuZ cdjRxA== gu.edu. 86400 IN RRSIG DNSKEY 7 2 86400 20140705183107 20140628183107 38702 gu.edu. I0hR/eirR7oCcWXty592yeHa7ceOePt4h/ktKAMcptlYzxzyVsNZE00p JVO2RwTTyc4ROG7IjU4hrlXk47w8cRFh2HlawF/wDbqxrMAJnZl1cR/4 lNpdpdDCAvXE0YCNE9MDJJ2RlTdK0EKE1/Z6uxvdZwlLSNmdTRQZq3U6 Er8BrKydIpyaOATGTHEeDVdv6862cp/JnGbyfnPQH8zUqLwjeEwV++q7 EzdX8009sqoM0qKS+QSKD33rTwfBmgDYX4A4KePCK8VqLg3VFVuMzjLv +mlm4QJ7QVxpiKPoiCPDUCw5OPZICl3ZPgbB06FgHHAbqf1USG63Vazg SmTujQ== gu.edu. 86400 IN RRSIG DNSKEY 7 2 86400 20140705183107 20140628183107 25247 gu.edu. E4HC0HzDzSwXhRHCJuPPuLeLAsOs7hjEHqnKxt9SRx4oKOt5g/A33mHZ tr7YbGtuf5+5MkPeXaIAAwaywBzkGCFbUVlD6tGEvpDLrm/Cw12w8rfs FY0OfvJrovr15ZeH57SswhiLtTuh1NA5WqALxmbENRg/ja9Due86Js6I G7ImoajhkD2oSS0QCpwuk+pKv0xpfllawE/pzszL7vcLZSCPmXvsAwr9 TqmvmP70B+YjnGeNlEFAx1YGgS4urnNIf7/aMSk+sqrFH+1su8Q6zO94 miiz18q2xbCebSQJoRkf61n84gdVyJ+My4UfQ9sP1um8w4yD+M0i84SZ r02fGg== ;; Query time: 436 msec ;; SERVER: 141.161.200.28#53(141.161.200.28) ;; WHEN: Wed Jul 02 21:02:26 EST 2014 ;; MSG SIZE rcvd: 2291 In message <[email protected] il.com>, Mohamed Lrhazi writes: > --===============7582107217492035289== > Content-Type: multipart/alternative; boundary=047d7b2e3d92c70dd404fd33 > 5ec9 > > --047d7b2e3d92c70dd404fd335ec9 > Content-Type: text/plain; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > I am sure I messed up something, but cant figure out what! Some DNS > servers, notably Google's, return SERVFAIL, since a couple of days now > . > > This dns report says the NS records do not have A records... but they > do in > my zone data. > > http://www.dnssy.com/report.php?q=3Dgu.edu > > > > =E2=9E=9C ~ dig any gu.edu @8.8.8.8 > > ; <<>> DiG 9.9.5-3-Ubuntu <<>> any gu.edu @8.8.8.8 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24840 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > ;; QUESTION SECTION: > ;gu.edu. IN ANY > > ;; Query time: 80 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Wed Jul 02 06:21:49 EDT 2014 > ;; MSG SIZE rcvd: 35 > > --047d7b2e3d92c70dd404fd335ec9 > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <div dir=3D"ltr"><div>I am sure I messed up something, but cant figure > out = > what! Some DNS servers, notably Google's, return SERVFAIL, since a > coup= > le of days now.</div><div><br></div><div>This dns report says the NS r > ecord= > s do not have A records... but they do in my zone data.</div> > > <div><br></div><div><a href=3D"http://www.dnssy.com/report.php?q=3Dgu. > edu">= > http://www.dnssy.com/report.php?q=3Dgu.edu</a><br></div><div><br></div > ><div= > ><br></div><div><br></div><div><div>=E2=9E=9C =C2=A0~ =C2=A0dig any <a > href= > =3D"http://gu.edu";>gu.edu</a> @<a href=3D"http://8.8.8.8";>8.8.8.8</a>< > /div> > > <div><br></div><div>; <<>> DiG 9.9.5-3-Ubuntu <<> > > = > any <a href=3D"http://gu.edu";>gu.edu</a> @<a href=3D"http://8.8.8.8";>8 > .8.8.= > 8</a></div><div>;; global options: +cmd</div><div>;; Got answer:</div> > <div> > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24840 > </div= > ><div>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONA > L: 1<= > /div><div><br></div><div>;; OPT PSEUDOSECTION:</div><div>; EDNS: versi > on: 0= > , flags:; udp: 512</div> > > <div>;; QUESTION SECTION:</div><div>;<a href=3D"http://gu.edu";>gu.edu< > /a>.<= > span class=3D"" style=3D"white-space:pre"> > </span>IN<span class=3D"" sty= > le=3D"white-space:pre"> </span>ANY</div><div><br></div><div>;; Q > uery time: = > 80 msec</div> > > <div>;; SERVER: 8.8.8.8#53(8.8.8.8)</div><div>;; WHEN: Wed Jul 02 06:2 > 1:49 = > EDT 2014</div><div>;; MSG SIZE =C2=A0rcvd: 35</div></div><div><br></di > v></d= > iv> > > --047d7b2e3d92c70dd404fd335ec9-- > > --===============7582107217492035289== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > --===============7582107217492035289==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
