Re: unresolvable pms.psc.gov, but google/cloudflare/unbound work

Sun, 22 Aug 2021 09:25:31 -0700 

Your using the wrong tools to troubleshoot or investigate this error.

Instead of relying upon resolvers to provide situational awareness you need to 
inspect DNSSEC itself using dnsviz.net:

https://dnsviz.net/d/pms.psc.gov/dnssec/

psc.gov is giving the world ID 5089 when they need to handing out ID 180.

Recommend the pms.psc.gov admins give the psc.gov admins the correct hash.

Sent from Nine<http://www.9folders.com/>
________________________________
From: Roger Hammerstein <cheek...@gmx.com>
Sent: Sunday, August 22, 2021 9:45 AM
To: bind-users@lists.isc.org
Subject: unresolvable pms.psc.gov, but google/cloudflare/unbound work


pms.psc.gov appears to be unresolvable against bind9.16.19
and 9.11.34 because of dnssec issues.
But it resolves against Cloudflare's 1.1.1.1, Google's 8.8.8.8, and an Unbound
resolver that does dnssec-validation.

There's a ticket open with nih.gov to look into it, but is there anything that 
can
be changed with Bind to make this domain resolve in the meantime?

 (pms.psc.gov): query failed (SERVFAIL) for pms.psc.gov/IN/A at query.c:8678

https://dnsviz.net/d/pms.psc.gov/dnssec/
https://dnssec-analyzer.verisignlabs.com/pms.psc.gov

 dig a pms.psc.gov @8.8.8.8
pms.psc.gov.            2852    IN      CNAME   pms.ha.psc.gov.
pms.ha.psc.gov.         29      IN      A       156.40.178.24



dig a pms.psc.gov @8.8.8.8 +dnssec

;; ANSWER SECTION:
pms.psc.gov.            2835    IN      CNAME   pms.ha.psc.gov.
pms.psc.gov.            2835    IN      RRSIG   CNAME 8 3 3600 20210827000144 
20210821230144 5089 psc.gov. 
kpclRfRyBqaSGW6VrpkE4gP/QPfggKZTVb68npiosnt+4lIUglUxino5 
jQAqd9a1p8HbdHG63HPnfYYBq1bX9q/f11CVUmxXXJUbRBGTZBnDyATP 
LLI2GWSZ1at364O+C+iZozi8NpJNU4oTCfd3PLScFbOfSGbPyRfUzfvB AJc=
pms.ha.psc.gov.         29      IN      A       156.40.178.24
pms.ha.psc.gov.         29      IN      RRSIG   A 7 4 30 20210827185442 
20210820185442 21380 ha.psc.gov. 
w2XUqBVoBMtLv0qfc5xmccrpv+w2ukwGfaGJvthIKHXr2SdlAk3oQxve 
xyolEaj2zWn8Uj7lOsaZD8mewBMQ3iEEp8U96aFBslWV/ffEKL+H9oMM 
sUNU5KwNi7/Nk3KZuNc8R3xxuYTsSVdbu6ai1lQ6fmw2uWAoDP9YIqek 
jyo/0WFSXM+hxw/5WguijhilSRIywNgG3/6MY3ZmunPPafGTCTXigyex 
IBACJQJ+meD6vMi0YoRM17mwdD+7Buq2cb6LJyVYaQImh7M2gF8My75n 
lDns4PWEIx4bSW2uQQEPpB7MA9VI9y5CuVCmqC3wMZ2ow6G8pkaf18wv r/ucSQ==




I can sometimes get a servfail out of 8.8.8.8 with an any query
dig any pms.psc.gov @8.8.8.8 +dnssec
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36332
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;pms.psc.gov.                   IN      ANY
;; Query time: 5001 msec


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to