For the benefit of others: DNSSec takes longer per query and
transaction. I don't know whether this is the whole answer or a
partial one, but I found one freeipa dnssec enabled website that
sometimes passed, sometimes failed dig @1.1.1.1 (the failures look like
this:
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for
.)
So it's starting to look like some race condition or timeout or combination.
On 7/27/22 08:55, Harry G. Coin wrote:
Anybody know what can I do to prevent freeipa/dnssec's bind from
providing a DS record not just for sub-domains, but for the domain itself?
Some dnssec resolvers, like google and cloudflair, fail if, as freeipa
dnssec does, the domain publishes a DS record for itself.
see
https://community.cloudflare.com/t/only-at-cloudflare-ede-6-dnssec-bogus-...
[root@registry1 ~]# dig -t DS
cloudflair.com.
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> -t DS
cloudflair.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22726
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 649f8f375d57b853c3c929c262e0853ba3fe8f9b9670b440 (good)
;; QUESTION SECTION:
;cloudflair.com. IN DS
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. 1658881322 1800 900 604800 86400
;; Query time: 19 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 26 19:22:19 CDT 2022
;; MSG SIZE rcvd: 144
[root@registry1 ~]# dig -t DS
quietfountain.com.
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> -t DS
quietfountain.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6483
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4f8550482500f225bd575f6e62e08573b52b505d8b28093d (good)
;; QUESTION SECTION:
;quietfountain.com. IN DS
;; ANSWER SECTION:
quietfountain.com. 86087 IN DS 38102 8 2
DBD6CA3C6100AC6AE94B2FE2CC7AE6C1CFC1493680164FC920AB06D8 43F0A8E7
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 26 19:23:15 CDT 2022
;; MSG SIZE rcvd: 122
On 7/26/22 17:59, Harry G. Coin wrote:
>
> I have a dnssec enabled domain that passes all the verisign and
> related dnssec tests (all green, no errors) and dns sources like AT&T
> and Verizon. But it fails at some popular dns servers like google
> and cloudflair. I'd appreciate what anyone can make of that, there
> are no obvious debugging directions when verisgn says 'all good'.
> If I turn on the 'cdflag' most all of
>
https://dnschecker.org/#A/quietfountain.com works. Turn it off, and
> some report problems. Some clues most welcome!
>
> Harry Coin
>
>
> Here's Quad9, for example:
>
> [root@registry1 ~]# dig @9.9.9.9 quietfountain.com
>
> ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @9.9.9.9
quietfountain.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45758
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;quietfountain.com. IN A
>
> ;; ANSWER SECTION:
>
quietfountain.com. 43200 IN A 147.135.121.120
>
quietfountain.com. 43200 IN A 51.81.131.192
>
> ;; Query time: 1463 msec
> ;; SERVER: 9.9.9.9#53(9.9.9.9)
> ;; WHEN: Tue Jul 26 17:53:39 CDT 2022
> ;; MSG SIZE rcvd: 78
>
> But, here's cloudflair and google:
>
>
>
> [root@registry1 ~]# dig @1.1.1.1 quietfountain.com
>
> ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @1.1.1.1
quietfountain.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64113
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for
>
quietfountain.com.)
> ;; QUESTION SECTION:
> ;quietfountain.com. IN A
>
> ;; Query time: 2197 msec
> ;; SERVER: 1.1.1.1#53(1.1.1.1)
> ;; WHEN: Tue Jul 26 17:51:22 CDT 2022
> ;; MSG SIZE rcvd: 103
>
> [root@registry1 ~]# dig @8.8.8.8 quietfountain.com
>
> ; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @8.8.8.8
quietfountain.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61907
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;quietfountain.com. IN A
>
> ;; Query time: 2303 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Tue Jul 26 17:51:35 CDT 2022
> ;; MSG SIZE rcvd: 46
>
>
>
>