Google Public DNS (8.8.8.8) fails DNSSEC
Some debug traces
I happened to notice that Google Public DNS (8.8.8.8) fails the DNSSEC checks for my domain (ypcs.fi). Other public resolvers seem to resolve everything fine, and so does eg. Verisign DNSSEC analyzer.
CloudFlare 1.1.1.1
$ dig @1.1.1.1 ypcs.fi +dnssec
; <<>> DiG 9.16.8-Debian <<>> @1.1.1.1 ypcs.fi +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47701
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;ypcs.fi. IN A
;; ANSWER SECTION:
ypcs.fi. 85973 IN RRSIG A 8 2 86400 20210113230001 20201214230001 13140 ypcs.fi. RcaSVxUBqyndb6o82IPUqguCq678tvOMa9Ikg7FtsuTgSBqdr8VyAGAr mdWxOoa9pwWWA+QU0iqEsRbwj71MHl8YuztLHw7Ft1XG+jdcl8K2cVFb Fke/uwF/3m0C/jzkUduk6UrDBq+mBv4I6qm29ZtLZ3WVYSGvXZbAZHzX OkAxYo70RxQb0C+cH/+aWGGenaTTZ28e0zlYakfwJLCjd7+NYSfGDCwy SQqcJENZiTqNeB61HiEYdu5isc27VcZhEgRHi4QxCsLvYSFWf7VFOx/2 Wl4anRSa9KdrxkTBs3J7sJQwVgwLXENhAyG/GTBTNHI+yoMbQUzdfYhG otQWUg==
ypcs.fi. 85973 IN A 185.199.109.153
ypcs.fi. 85973 IN A 185.199.108.153
ypcs.fi. 85973 IN A 185.199.110.153
ypcs.fi. 85973 IN A 185.199.111.153
;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Dec 15 08:53:08 EET 2020
;; MSG SIZE rcvd: 395
Google Public DNS (8.8.8.8)
$ dig @8.8.8.8 ypcs.fi +dnssec
; <<>> DiG 9.16.8-Debian <<>> @8.8.8.8 ypcs.fi +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29405
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ypcs.fi. IN A
;; Query time: 152 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 15 08:53:30 EET 2020
;; MSG SIZE rcvd: 36
Quad9 (9.9.9.9)
$ dig @9.9.9.9 ypcs.fi +dnssec
; <<>> DiG 9.16.8-Debian <<>> @9.9.9.9 ypcs.fi +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11064
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ypcs.fi. IN A
;; ANSWER SECTION:
ypcs.fi. 43200 IN A 185.199.111.153
ypcs.fi. 43200 IN A 185.199.109.153
ypcs.fi. 43200 IN A 185.199.108.153
ypcs.fi. 43200 IN A 185.199.110.153
ypcs.fi. 43200 IN RRSIG A 8 2 86400 20210113230001 20201214230001 13140 ypcs.fi. RcaSVxUBqyndb6o82IPUqguCq678tvOMa9Ikg7FtsuTgSBqdr8VyAGAr mdWxOoa9pwWWA+QU0iqEsRbwj71MHl8YuztLHw7Ft1XG+jdcl8K2cVFb Fke/uwF/3m0C/jzkUduk6UrDBq+mBv4I6qm29ZtLZ3WVYSGvXZbAZHzX OkAxYo70RxQb0C+cH/+aWGGenaTTZ28e0zlYakfwJLCjd7+NYSfGDCwy SQqcJENZiTqNeB61HiEYdu5isc27VcZhEgRHi4QxCsLvYSFWf7VFOx/2 Wl4anRSa9KdrxkTBs3J7sJQwVgwLXENhAyG/GTBTNHI+yoMbQUzdfYhG otQWUg==
;; Query time: 100 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue Dec 15 08:53:44 EET 2020
;; MSG SIZE rcvd: 395
VeriSign DNSSEC analyzer
https://dnssec-analyzer.verisignlabs.com/ypcs.fi
DNSViz.net
https://dnsviz.net/d/ypcs.fi/dnssec/
##
Feedback / comments?
Either, send e-mail of ping at Mastodon (mastodontti.fi/@ypcs.