[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Google DNS (8.8.8.8 & 8.8.4.4) Returns wrong NSEC answer for my domain!



Hi,

When I query your nameserver, I get the same result, so I think this is working correctly:

$ dig aluekouluttaja.fi. NSEC @213.250.93.67

; <<>> DiG 9.10.6 <<>> aluekouluttaja.fi. NSEC @213.250.93.67
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7670
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;aluekouluttaja.fi. IN NSEC

;; ANSWER SECTION:
aluekouluttaja.fi. 3600 IN NSEC _sipfederationtls._tcp.aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY

;; Query time: 118 msec
;; SERVER: 213.250.93.67#53(213.250.93.67)
;; WHEN: Tue Oct 01 10:14:49 EDT 2019
;; MSG SIZE  rcvd: 109

On Tuesday, October 1, 2019 at 9:39:36 AM UTC-4, Pekka Panula wrote:
Hi

Google DNS gives wierd NSEC result for my domain aluekouluttaja.fi

Result for aluekouluttaja.fi/NSEC with DNSSEC validation:

{
  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
    {
      "name": "aluekouluttaja.fi.",
      "type": 47
    }
  ],
  "Answer": [
    {
      "name": "aluekouluttaja.fi.",
      "type": 47,
      "TTL": 3599,
      "data": "_sipfederationtls._tcp.aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY"
    }
  ],
  "Comment": "Response from 213.250.93.67."
}

As you can see Answer data is: "data": "_sipfederationtls._tcp.aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY"
But it should be: "data": "aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY"

I have checked with different validation services but they all say my zone & dnssec is OK, no problems.

When i query DNS from my DNS servers i got correct answer for NSEC, it just seems Google DNS has this problem.

Any ideas whats causing this?

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/b60f2fee-1cb3-4233-a7d5-fc7a91249e00%40googlegroups.com.