On 2 Jul 2014, at 11:29, Mohamed Lrhazi <[email protected]> wrote:
> I am sure I messed up something, but cant figure out what! Some DNS
> servers, notably Google's, return SERVFAIL, since a couple of days now.
DNSSEC for gu.edu appears to be broken. google's 8.8.8.8 service does DNSSEC
validation. SERVFAILs get returned when validation fails. FWIW my name servers
also do DNSSEC validation and they get SERVFAILs for your domain too.
It looks to me like someone/something rolled gu.edu's KSK and forgot to get the
parent delegation updated. .edu has one DS record for gu.edu which is for a key
with fingerprint 3078. None of the DNSKEYs in gu.edu have that footprint. This
makes it impossible to validate any signed data under gu.edu:
% drill -TD gu.edu ns
...
[T] gu.edu. 86400 IN DS 3078 7 1 b4c9fb14d6519c3ece5cc43e80c463d5847d73ed
;; Domain: gu.edu.
;; Signature ok but no chain to a trusted key or ds record
[S] gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 35043 (ksk), size = 2048b}
gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 39339 (ksk), size = 2048b}
gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 25247 (zsk), size = 2048b}
gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 38702 (zsk), size = 2048b}
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
