Domain does not resolve

Same problem with verimi.de? Same behavior from what I can see.

I get 80.158.18.197 from 1.1.1.1 and another resolver.

Interesting. Now I get the correct IP.
But at the time of writing I got SERVFAIL with the same id.server MUC.
But at the same time 8.8.8.8 was correct.
No ideas :o

Just based on the repeated issues here, google DNS seems to soft fail DNSSEC and will still return the IP address even if it does fail. Google pretty much doesn’t trust the site owners to properly set it up. CF’s resolver seems to hard fail if DNSSEC fails and won’t return any IP.

2 Likes

That’s not true. Cloudflare and Google both operate DNSSEC in about the same way. They both enforce validation unless the client sends the CD bit or, on rare occasions, when the Cloudflare or Google admins set an NTA on some misconfigured, high profile zone.

https://developers.google.com/speed/public-dns/faq#dnssec

If something resolves on one and fails on the other, it’s probably for some other reason, like routing issues, or EDNS fallback differences, or even a software bug, not because one of them isn’t validating.

Sorry if I made it seem that way, having not looked into the issues all that much all I see is other peoples’ solutions and many times they’re related to dnssec.

Just based on my viewing of these topics and the replies for what the issues are, all I see if that 8^4 resolves the domain while 1^4 returns SERVFAIL with a dnssec issue.

  • disa.mil: The domain had issues and Cloudflare set an NTA; Google either had validation on or still returns RRSIGs when NTAs are in use.

  • www.esunbank.com.tw: The domain has multiple issues. Most resolvers can resolve some things; 1.1.1.1 can’t. I don’t think other resolvers are accepting bogus data. (I think it might be using the same server as postbank.de, but with additional problems.)

  • oneplus.com: Unsure what was wrong, but the domain doesn’t use DNSSEC.

  • postbank.de: The domain has issues. Cloudflare set an NTA. Other resolvers can resolve it with validation on, perhaps because of different validation algorithms, in particular not implementing aggressive NSEC3.

None of those posts demonstrate Google accepting bogus data. (The first one may or may not.)

What is eta @mnordhoff?

verimi.de is a. login solution which does not use DNSSEC. shame shame
But with that information it can not be a DNSSEC problem.

And Google DNS enforces it! See: https://groups.google.com/forum/?#!forum/public-dns-discuss/topics
Basically all posts are about DNSSEC issues.