For the benefit of others: DNSSec takes longer per query and transaction. I don't know whether this is the whole answer or a partial one, but I found one freeipa dnssec enabled website that sometimes passed, sometimes failed dig @1.1.1.1 (the failures look like this:
; EDE: 9
(DNSKEY Missing): (no SEP matching the DS found for
quietfountain.com.)
So it's starting to look like some race condition or timeout or combination.
Anybody know what can I do to prevent freeipa/dnssec's bind from providing a DS record not just for sub-domains, but for the domain itself?
Some dnssec resolvers, like google and cloudflair, fail if, as freeipa dnssec does, the domain publishes a DS record for itself.
[root@registry1 ~]# dig -t DS cloudflair.com.
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> -t DS cloudflair.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22726
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 649f8f375d57b853c3c929c262e0853ba3fe8f9b9670b440 (good)
;; QUESTION SECTION:
;cloudflair.com. IN DS
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1658881322 1800 900 604800 86400
;; Query time: 19 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 26 19:22:19 CDT 2022
;; MSG SIZE rcvd: 144
[root@registry1 ~]# dig -t DS quietfountain.com.
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> -t DS quietfountain.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6483
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4f8550482500f225bd575f6e62e08573b52b505d8b28093d (good)
;; QUESTION SECTION:
;quietfountain.com. IN DS
;; ANSWER SECTION:
quietfountain.com. 86087 IN DS 38102 8 2 DBD6CA3C6100AC6AE94B2FE2CC7AE6C1CFC1493680164FC920AB06D8 43F0A8E7
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 26 19:23:15 CDT 2022
;; MSG SIZE rcvd: 122
On 7/26/22 17:59, Harry G. Coin wrote:
I have a dnssec enabled domain that passes all the verisign and related dnssec tests (all green, no errors) and dns sources like AT&T and Verizon. But it fails at some popular dns servers like google and cloudflair. I'd appreciate what anyone can make of that, there are no obvious debugging directions when verisgn says 'all good'. If I turn on the 'cdflag' most all of https://dnschecker.org/#A/quietfountain.com works. Turn it off, and some report problems. Some clues most welcome!
Harry Coin
Here's Quad9, for example:
[root@registry1 ~]# dig @9.9.9.9 quietfountain.com
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @9.9.9.9 quietfountain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45758
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;quietfountain.com. IN A
;; ANSWER SECTION:
quietfountain.com. 43200 IN A 147.135.121.120
quietfountain.com. 43200 IN A 51.81.131.192
;; Query time: 1463 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue Jul 26 17:53:39 CDT 2022
;; MSG SIZE rcvd: 78
But, here's cloudflair and google:
[root@registry1 ~]# dig @1.1.1.1 quietfountain.com
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @1.1.1.1 quietfountain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64113
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for quietfountain.com.)
;; QUESTION SECTION:
;quietfountain.com. IN A
;; Query time: 2197 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jul 26 17:51:22 CDT 2022
;; MSG SIZE rcvd: 103
[root@registry1 ~]# dig @8.8.8.8 quietfountain.com
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @8.8.8.8 quietfountain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61907
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;quietfountain.com. IN A
;; Query time: 2303 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 26 17:51:35 CDT 2022
;; MSG SIZE rcvd: 46