[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Google DNS ( & Returns wrong NSEC answer for my domain!


Ah, you are correct, it was my compare script that, i assume, was getting some (old) dns NSEC record.
I didn't completely understand whole NSEC record, but looking for more documentation i get it now, so there is no problem with Google DNSes.
It was just my DNS check script problem, where i do check zone against google dns.


tiistai 1. lokakuuta 2019 17.15.53 UTC+3 Jon Horovitz kirjoitti:

When I query your nameserver, I get the same result, so I think this is working correctly:

$ dig aluekouluttaja.fi. NSEC @

; <<>> DiG 9.10.6 <<>> aluekouluttaja.fi. NSEC @
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7670
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 1680
;aluekouluttaja.fi. IN NSEC

aluekouluttaja.fi. 3600 IN NSEC _sipfederationtls._tcp.aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY

;; Query time: 118 msec
;; WHEN: Tue Oct 01 10:14:49 EDT 2019
;; MSG SIZE  rcvd: 109

On Tuesday, October 1, 2019 at 9:39:36 AM UTC-4, Pekka Panula wrote:

Google DNS gives wierd NSEC result for my domain aluekouluttaja.fi

Result for aluekouluttaja.fi/NSEC with DNSSEC validation:

  "Status": 0,
  "TC": false,
  "RD": true,
  "RA": true,
  "AD": true,
  "CD": false,
  "Question": [
      "name": "aluekouluttaja.fi.",
      "type": 47
  "Answer": [
      "name": "aluekouluttaja.fi.",
      "type": 47,
      "TTL": 3599,
      "data": "_sipfederationtls._tcp.aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY"
  "Comment": "Response from"

As you can see Answer data is: "data": "_sipfederationtls._tcp.aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY"
But it should be: "data": "aluekouluttaja.fi. NS SOA MX TXT RRSIG NSEC DNSKEY"

I have checked with different validation services but they all say my zone & dnssec is OK, no problems.

When i query DNS from my DNS servers i got correct answer for NSEC, it just seems Google DNS has this problem.

Any ideas whats causing this?

You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/a4af967c-81f2-44e7-a17b-a62fce596f68%40googlegroups.com.