doesn't return DNSSEC data for disa.mil; Google's does

Cloudflare’s seems to be having trouble with disa.mil names and dnssec; Cloudflare doesn’t work and Google’s does.

$ dig disa.mil @ +dnssec +short

A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.



aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=

$ dig disa.mil @ +dnssec +short

Note that didn’t return dnssec data. When using a client that enforces dnssec, that leads to an inability to resolve the name.

Since Google returns DNSSEC data, I’m assuming disa.mil’s DNSSEC is valid and working.

I’ve passed this along to some folks on the team to see what I can find out. Stay tuned!

It turns out the domain had DNSSEC issues recently and we installed a Negative Trust Anchor for it. So even if the domain has problems it should prevent us from failing it.

1 Like