Canarabank.com is not resolving on 1.1.1.1

Zero Trust 1.1.1.1
1 
; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @1.1.1.1 A canarabank.com +nsid
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16304
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;canarabank.com.                        IN      A

;; Query time: 1280 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sat Feb 25 21:17:07 IST 2023
;; MSG SIZE  rcvd: 43
1 Like
2

Adding to that, my ISP Airtel resolving the site well.

 dig canarabank.com @192.168.98.96

; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> canarabank.com @192.168.98.96
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19152
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;canarabank.com.                        IN      A

;; ANSWER SECTION:
canarabank.com.         146     IN      A       107.162.160.8

;; Query time: 80 msec
;; SERVER: 192.168.98.96#53(192.168.98.96) (UDP)
;; WHEN: Sat Feb 25 21:29:05 IST 2023
;; MSG SIZE  rcvd: 59
3

canarabank.com seems to have a quite broken name server and DNSSEC set up right now.

They are currently pointing their domain’s name servers at various servers operated by Akamai, Google, and sify.net.

The parent (e.g. .com registry) lists a DS key with algorithm 13 (ECDSA P-256), but Google responds with DNSSEC for algorithm 8 (RSASHA256).

The two sify.net servers does not respond with DNSSEC signed records at all.

As such, when you are unlucky that the queries that go through 1.1.1.1 is is reaching (and being responded to by) either Google or sify.net, the DNSSEC verification is failing.

If you have any other way to reach them, I suggest you contact them and tell administrators/technicians behind canarabank.com that their DNSSEC (and name server) set up is broken, as that might speed up the process a little bit.

Re. “a little bit”: Changing such stuff like this (name servers, DNSSEC) can easily take up to 48-96 hours to propagate to a state where it is working again everywhere on the Internet, from the time when it is fixed properly.

1 Like
4

I reported to them!