[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] DNSSEC Issue Resolving .gov.au subdomains



Hi,

The Google Public DNS servers are currently returning SERVFAIL responses for subdomains of .gov.au 

The .gov.au was recently signed ( https://www.dta.gov.au/blogs/signing-govau-zone ) so I suspect this may be related.

Disabling DNSSEC results in a successful query

example queries:

WIth DNSSEC
$ dig @8.8.8.8 www.health.nsw.gov.au

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 www.health.nsw.gov.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48552
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.health.nsw.gov.au.         IN      A

;; Query time: 267 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 07 20:35:31 AEST 2019
;; MSG SIZE  rcvd: 50

WITHOUT DNSSEC
$ dig @8.8.8.8 +cd www.health.nsw.gov.au

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 +cd www.health.nsw.gov.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28695
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.health.nsw.gov.au.         IN      A

;; ANSWER SECTION:
www.health.nsw.gov.au.  0       IN      CNAME   health.nsw.gov.au.
health.nsw.gov.au.      299     IN      A       202.58.231.80

;; Query time: 268 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 07 20:35:47 AEST 2019
;; MSG SIZE  rcvd: 80


Similar responses are seen for www.health.vic.gov.au and www.health.qld.gov.au

No DS records exist for nsw.gov.au , vic.gov.au or qld.gov.au so my expectation would be that the google servers shouldn't perform DNSSEC validation when querying these domains.

A web query at the following URL confirms DNSSEC validation as an issue
https://dns.google.com/query?name=www.health.nsw.gov.au&type=A&dnssec=true



{
  "Status": 2,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": false,
  "CD": false,
  "Question": [
    {
      "name": "www.health.nsw.gov.au.",
      "type": 1
    }
  ],
  "Comment": "DNSSEC validation failure. Check http://dnsviz.net/d/www.health.nsw.gov.au/dnssec/ and http://dnssec-debugger.verisignlabs.com/www.health.nsw.gov.au for errors"
}


Problem doesn't exist on other public DNS services such as Cloudflare, OpenDNS etc

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/0e0b1652-8f79-46b1-a2b2-92d63731b713%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.