[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: 8.8.8.8 cannot resolve live.mq.polaris-cloud.app




On Friday, December 20, 2019 at 3:17:47 PM UTC-5 Alex wrote:
dig @8.8.8.8 live.mq.polaris-cloud.app  

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33577

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;live.mq.polaris-cloud.app. IN A

I've double and triple checked my DNS settings and cannot see anything wrong - why can't Google resolve this address?


https://issuetracker.google.com/issues/146298133 –  Issue resolving delegated Route53 subdomains

Amazon Route53 name servers for zones with delegated subdomains do not handle queries for DS records in full compliance with RFC 4035. Instead of sending an authoritative NOERROR+NODATA response for a DS query for a delegation point with NS records, Route53 returns a referral response to the child name server.

Since an authoritative response for a DS query is not strictly necessary, [since parent domains] have DNSSEC-signed non-existence proofs for their DS records showing that all subdomains below then are insecure, Google Public DNS should be able to ignore these referral responses during its bottom-up DNSSEC validation process.

We are looking into how this could be done, and trying to better understand why this just started being a problem last week – did the Route53 responses change, or did the Google Public DNS query pattern during DNSSEC validation change?

Google Public DNS has inconsistent responses (only sometimes successful) depending on whether the insecure delegation / unsigned zone status of a parent zone has been cached (in which case no queries for DS records are performed).


--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/6745b1e4-c677-4a84-8774-0dacbbc9566e%40googlegroups.com.