Anybody know what can I do to prevent freeipa/dnssec's bind from
providing a DS record not just for sub-domains, but for the domain itself?
Some dnssec resolvers, like google and cloudflair, fail if, as freeipa
dnssec does, the domain publishes a DS record for itself.
see
https://community.cloudflare.com/t/only-at-cloudflare-ede-6-dnssec-bogus-...
[root@registry1 ~]# dig -t DS
cloudflair.com.
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> -t DS
cloudflair.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22726
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 649f8f375d57b853c3c929c262e0853ba3fe8f9b9670b440 (good)
;; QUESTION SECTION:
;cloudflair.com. IN DS
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. 1658881322 1800 900 604800 86400
;; Query time: 19 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 26 19:22:19 CDT 2022
;; MSG SIZE rcvd: 144
[root@registry1 ~]# dig -t DS
quietfountain.com.
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> -t DS
quietfountain.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6483
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4f8550482500f225bd575f6e62e08573b52b505d8b28093d (good)
;; QUESTION SECTION:
;quietfountain.com. IN DS
;; ANSWER SECTION:
quietfountain.com. 86087 IN DS 38102 8 2
DBD6CA3C6100AC6AE94B2FE2CC7AE6C1CFC1493680164FC920AB06D8 43F0A8E7
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 26 19:23:15 CDT 2022
;; MSG SIZE rcvd: 122
On 7/26/22 17:59, Harry G. Coin wrote:
I have a dnssec enabled domain that passes all the verisign and
related dnssec tests (all green, no errors) and dns sources like AT&T
and Verizon. But it fails at some popular dns servers like google
and cloudflair. I'd appreciate what anyone can make of that, there
are no obvious debugging directions when verisgn says 'all good'.
If I turn on the 'cdflag' most all of
https://dnschecker.org/#A/quietfountain.com works. Turn it off, and
some report problems. Some clues most welcome!
Harry Coin
Here's Quad9, for example:
[root@registry1 ~]# dig @9.9.9.9 quietfountain.com
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @9.9.9.9
quietfountain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45758
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;quietfountain.com. IN A
;; ANSWER SECTION:
quietfountain.com. 43200 IN A 147.135.121.120
quietfountain.com. 43200 IN A 51.81.131.192
;; Query time: 1463 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue Jul 26 17:53:39 CDT 2022
;; MSG SIZE rcvd: 78
But, here's cloudflair and google:
[root@registry1 ~]# dig @1.1.1.1 quietfountain.com
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @1.1.1.1
quietfountain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64113
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for
quietfountain.com.)
;; QUESTION SECTION:
;quietfountain.com. IN A
;; Query time: 2197 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jul 26 17:51:22 CDT 2022
;; MSG SIZE rcvd: 103
[root@registry1 ~]# dig @8.8.8.8 quietfountain.com
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> @8.8.8.8
quietfountain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61907
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;quietfountain.com. IN A
;; Query time: 2303 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 26 17:51:35 CDT 2022
;; MSG SIZE rcvd: 46