[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [public-dns-discuss] DNSSEC Issue Resolving .gov.au subdomains



√vandrzejs-air:~ rozalia$ dig @8.8.8.8 www.health.nsw.gov.au

; <<>> DiG 9.10.6 <<>> @8.8.8.8 www.health.nsw.gov.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60162
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.health.nsw.gov.au. IN A

;; ANSWER SECTION:
www.health.nsw.gov.au. 299 IN CNAME health.nsw.gov.au.
health.nsw.gov.au. 299 IN A 202.58.231.80

;; Query time: 384 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 08 17:44:36 CEST 2019
;; MSG SIZE  rcvd: 80



On Sunday, April 7, 2019, <benbryzak AT gmail.com> wrote:
> Hi,
>
> The Google Public DNS servers are currently returning SERVFAIL responses for subdomains of .gov.au 
>
> The .gov.au was recently signed ( https://www.dta.gov.au/blogs/signing-govau-zone ) so I suspect this may be related.
>
> Disabling DNSSEC results in a successful query
>
> example queries:
>
> WIth DNSSEC
> $ dig @8.8.8.8 www.health.nsw.gov.au
>
> ; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 www.health.nsw.gov.au
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48552
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;www.health.nsw.gov.au.         IN      A
>
> ;; Query time: 267 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Sun Apr 07 20:35:31 AEST 2019
> ;; MSG SIZE  rcvd: 50
>
> WITHOUT DNSSEC
> $ dig @8.8.8.8 +cd www.health.nsw.gov.au
>
> ; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 +cd www.health.nsw.gov.au
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28695
> ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;www.health.nsw.gov.au.         IN      A
>
> ;; ANSWER SECTION:
> www.health.nsw.gov.au.  0       IN      CNAME   health.nsw.gov.au.
> health.nsw.gov.au.      299     IN      A       202.58.231.80
>
> ;; Query time: 268 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Sun Apr 07 20:35:47 AEST 2019
> ;; MSG SIZE  rcvd: 80
>
>
> Similar responses are seen for www.health.vic.gov.au and www.health.qld.gov.au
>
> No DS records exist for nsw.gov.au , vic.gov.au or qld.gov.au so my expectation would be that the google servers shouldn't perform DNSSEC validation when querying these domains.
>
> A web query at the following URL confirms DNSSEC validation as an issue
> https://dns.google.com/query?name=www.health.nsw.gov.au&type=A&dnssec=true
>
>
> {
> "Status": 2,
> "TC": false,
> "RD": true,
> "RA": true,
> "AD": false,
> "CD": false,
> "Question": [
> {
> "name": "www.health.nsw.gov.au.",
> "type": 1
> }
> ],
> "Comment": "DNSSEC validation failure. Check http://dnsviz.net/d/www.health.nsw.gov.au/dnssec/ and http://dnssec-debugger.verisignlabs.com/www.health.nsw.gov.au for errors"
> }
>
>
> Problem doesn't exist on other public DNS services such as Cloudflare, OpenDNS etc
>
> --
> You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
> To post to this group, send email to public-dns-discuss AT googlegroups.com.
> Visit this group at https://groups.google.com/group/public-dns-discuss.
> To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/0e0b1652-8f79-46b1-a2b2-92d63731b713%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/CAF98h9P0iyNLAU4_mhEfH2DD4rr5Rv8U7emYrAAAmoHSHXCtSA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.