Yesterday a customer of ours reported they couldn't get to mypay.dfas.mil. Upon looking into it I see both of my Unbound servers are returning SERVFAIL. Given the type of sight this is I suspected this to be a possible DNSSEC issue. I verified there's an issue here:
http://dnsviz.net/d/dfas.mil/dnssec/ .dfas.mil/DNSKEY:This RRset is not covered by any RRSIG. .dfas.mil/MX:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil zone, but the dfas.mil/MX RRset was not signed by any DNSKEY with algorithm(s) 7. .dfas.mil/SOA:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil zone, but the dfas.mil/SOA RRset was not signed by any DNSKEY with algorithm(s) 7. .dfas.mil/TXT:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil zone, but the dfas.mil/TXT RRset was not signed by any DNSKEY with algorithm(s) 7. I tested resolution against both DNS-OARC's BIND and Unbound DNSSEC public servers: BIND 9 149.20.64.20 2001:4f8:3:2bc:1::64:20 Unbound 149.20.64.21 2001:4f8:3:2bc:1::64:21 Their Unbound server fails just as mine do, but their BIND server returns the A record. I'm reluctant to disable DNSSEC validation over this one domain, considering there appears to be an actual problem. Considering BIND as well as Google's public DNS are validating this site OK I figured it was worth bringing up. Any feedback is appreciated! /ehren
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
