[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [public-dns-discuss] Unable to resolve keeex.me



As I said, everything seems to be in order except from Google DNS point of view.
The DNSSEC configuration and registration are handled by our provider, and works fine.
Various DNSSEC checking tool (including dnsviz.net, the verisign dnssec analyzer and https://zonemaster.iis.se/?resultid=103fa65fe49a56a6) are able to perform all checks, including checking keys and signatures.
Other DNS provider that do DNSSEC validation works except for Google DNS.

$ dig @1.0.0.1 +dnssec +cd A keeex.me

; <<>> DiG 9.11.4-3ubuntu5.1-Ubuntu <<>> @1.0.0.1 +dnssec +cd A keeex.me
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16130
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;keeex.me.                      IN      A

;; ANSWER SECTION:
keeex.me.               60      IN      A       188.165.84.153
keeex.me.               60      IN      RRSIG   A 3 2 60 20190508050056 20190408050056 58799 keeex.me. CAzEaUvs0/Rp09SBPk3yMHRf40GnayZtkS7kjV8gI7PK7Ns47McQ3eE=

;; Query time: 15 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: jeu. avril 18 18:56:14 UTC 2019
;; MSG SIZE  rcvd: 134

I tried Quad9 (above), Verisign (64.6.64.6), Cloudflare (1.1.1.1 and 1.0.0.1) and other. All give the same result except 8.8.8.8 and 8.8.4.4.
Unless you're telling me none of these provider actually implement DNSSEC validation, I doubt I can do much more.


Le jeu. 18 avr. 2019 à 18:47, Andrzej Swietek <andrzej.f.swietek AT gmail.com> a écrit :
You must added dns keys to the root server at the root level!

Chains is broken when you do dns query against google dns servers because the problem you experience with this google is setup correctly to do dnssec validation from the root level all the way to your autherative dns servers

keeex.me. 3600 IN NS dns106.ovh.net.
keeex.me. 3600 IN NS ns106.ovh.net.

for your domain

On Thursday, April 18, 2019, Cley Faye <cleyfaye AT gmail.com> wrote:
> I'm not sure what you mean with that. Sorry, I'm not the guy that usually handle this.
> Looking at http://dnsviz.net/d/keeex.me/dnssec/ it seems to me that all the keys in the chain are ok. Beyond that I'll have to ask our provider.
> What seemed weird to me is that it works everywhere else, and even used to work fine with google's dns.
>
> Le jeu. 18 avr. 2019 à 17:31, Andrzej Swietek <andrzej.f.swietek AT gmail.com> a écrit :
>
> Do you have the keys registered at the root dns server where your domain is registered?
>
> On Thursday, April 18, 2019, <cleyfaye AT gmail.com> wrote:
>> Hi,
>> One of our domain is not resolved by Google public DNS. It does work when disabling DNSSEC, however there doesn't seem to be a problem here on our end, and other resolvers do work.
>>
>> The date and time you encountered the problem
>>
>> 2019-04-18T13:38:12.571Z
>>
>> Your location
>>
>> France
>>
>> The platform on which you are noticing the problem (e.g. Mac, Windows, router, etc.): multiple, confirmed on Linux and Windows PCs
>> The hostname(s) for which you are having a problem:
>>
>> keeex.me
>> (also happens on subdomains)
>>
>> Whether the problem is continuous or intermittent: the problem have persisted for at least a few days now
>> The links to the tools' name server diagnosis report page:
>>
>> https://intodns.com/keeex.me
>>
>> The output of the commands you ran in the diagnostic tests
>>
>> 15:43 $ traceroute -n -w 2 -q 2 -m 30 8.8.8.8
>> traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
>>  1  10.0.1.1  1.359 ms  1.649 ms
>>  2  172.17.24.254  21.162 ms  21.182 ms
>>  3  77.129.29.106  23.210 ms 77.129.29.107  23.206 ms
>>  4  77.154.127.153  25.220 ms 77.154.127.157  25.226 ms
>>  5  77.154.127.102  25.306 ms 77.154.115.133  28.178 ms
>>  6  77.154.127.101  25.114 ms  25.084 ms
>>  7  77.154.115.133  28.108 ms  28.084 ms
>>  8  109.5.247.249  24.979 ms 108.170.244.193  26.450 ms
>>  9  72.14.218.124  27.011 ms  26.771 ms
>> 10  8.8.8.8  23.347 ms 108.170.245.1  24.641 ms
>>
>>
>> 15:43 $ dig @8.8.8.8 keeex.me
>> ; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 keeex.me
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15520
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 512
>> ;; QUESTION SECTION:
>> ;keeex.me.                      IN      A
>> ;; Query time: 42 msec
>> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>> ;; WHEN: Thu Apr 18 15:43:54 CEST 2019
>> ;; MSG SIZE  rcvd: 37
>>
>>
>> 15:43 $ dig @

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/CAAE3-LEfv6McOdw_%3DPzFB-Q2oVHP0KkF-42niiC-uG18ZpFwqw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.