1.1.1.1 doesn't return DNSSEC data for disa.mil; Google's 8.8.8.8 does

candrews · October 24, 2018, 3:12am

Cloudflare’s 1.1.1.1 seems to be having trouble with disa.mil names and dnssec; Cloudflare doesn’t work and Google’s 8.8.8.8 does.

$ dig disa.mil @8.8.8.8 +dnssec +short

156.112.108.76

A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.

dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc

YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w

aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=

$ dig disa.mil @1.1.1.1 +dnssec +short

156.112.108.76

Note that 1.1.1.1 didn’t return dnssec data. When using a client that enforces dnssec, that leads to an inability to resolve the name.

Since Google returns DNSSEC data, I’m assuming disa.mil’s DNSSEC is valid and working.

ryan · October 25, 2018, 9:20pm

I’ve passed this along to some folks on the 1.1.1.1 team to see what I can find out. Stay tuned!

ryan · October 25, 2018, 9:45pm

It turns out the domain had DNSSEC issues recently and we installed a Negative Trust Anchor for it. So even if the domain has problems it should prevent us from failing it.

Topic		Replies	Views
Domain does not resolve 1.1.1.1 dns	8	4283	June 18, 2021
DISA.mil not resolving 1.1.1.1	4	4409	June 18, 2021
SERVFAIL on disa.mil DNS & Network	8	3624	August 19, 2020
Server can't find <domainname>: SERVFAIL 1.1.1.1	6	3998	July 14, 2022
Cage.dla.mil DNSSec DNS & Network	2	2186	February 8, 2022

1.1.1.1 doesn't return DNSSEC data for disa.mil; Google's 8.8.8.8 does

Related topics