1.1.1.1 doesn't return DNSSEC data for disa.mil; Google's 8.8.8.8 does


#1

Cloudflare’s 1.1.1.1 seems to be having trouble with disa.mil names and dnssec; Cloudflare doesn’t work and Google’s 8.8.8.8 does.

$ dig disa.mil @8.8.8.8 +dnssec +short

156.112.108.76

A 8 2 7200 20181117145327 20181018145327 52983 disa.mil.

dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc

YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w

aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc=

$ dig disa.mil @1.1.1.1 +dnssec +short

156.112.108.76

Note that 1.1.1.1 didn’t return dnssec data. When using a client that enforces dnssec, that leads to an inability to resolve the name.

Since Google returns DNSSEC data, I’m assuming disa.mil’s DNSSEC is valid and working.


Domain does not resolve
#3

I’ve passed this along to some folks on the 1.1.1.1 team to see what I can find out. Stay tuned!


#4

It turns out the domain had DNSSEC issues recently and we installed a Negative Trust Anchor for it. So even if the domain has problems it should prevent us from failing it.