Reporting problem with www.cybersource.com DNSKEY

I use Fortinet Fortiguard DNS and they are saying www.cybersource.com DNSKEY is failing. Cybersource is using cloudflare but I am not the owner of the domain www.cybersource.com.
So I am reporting the problem here. I tried to email support but they said to use the community.

https://dnssec-analyzer.verisignlabs.com/www.cybersource.com

% nslookup www.cybersource.com 208.91.112.53
Server: 208.91.112.53
Address: 208.91.112.53#53

** server can't find www.cybersource.com: SERVFAIL```

The only people who can initiate a fix would be the site owners.

Their site loads for me, and it does have a Contact page. And they’re on Twitter.

1 Like

Site loads if you use a DNS server without DNSKEY validation. Fortinet DNS server uses DNSKEY validation to prevent spoofing. DNSKEY is failing on cloudflare which hosts the DNS for cybersource

The site also loads if you use DNSSEC validating DNS servers, such as 1.1.1.1.

Can you provide steps to reproduce the issue without using the FortiDNS (which does not respond to my queries)?

The step is simple as what i described using dig or nslookup it returns a servfail against fortiguard dns servers. Their servers are open so you should be able to connect to them. Not sure why you can’t. Here is Fortinet’s response:

The issue of "www.cybersource.com" is caused by the Cloudflare DNS server not being properly configured for DNSSSEC. More specifically, their authoritative servers are returning SERVFAIL for the below query, whereas it should be NOERROR without answers, aka NODATA.
$ dig @ns1.cloudflare.net www.cybersource.com.cdn.cloudflare.net. DNSKEY

; <<>> DiG 9.16.1-Ubuntu <<>> @ns1.cloudflare.net www.cybersource.com.cdn.cloudflare.net. DNSKEY
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17562
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.cybersource.com.cdn.cloudflare.net. IN DNSKEY

;; Query time: 10 msec
;; SERVER: 173.245.59.31#53(173.245.59.31)
;; WHEN: Thu Oct 28 16:18:30 PDT 2021
;; MSG SIZE rcvd: 67

Our Fortiguard DNS resolver enforces DNSSEC validation to add protection against DNS poisoning. You can also test the DNSSEC for any domain name with the tools listed by ICANN: https://www.icann.org/resources/pages/tools-2012-02-25-en

test result indicating the error:

https://dnssec-analyzer.verisignlabs.com/www.cybersource.com


Please let me know if you have any additional queries

This post was flagged by the community and is temporarily hidden.

This post was flagged by the community and is temporarily hidden.

looks like it is fixed now

nslookup www.cybersource.com 208.91.112.53
Server:		208.91.112.53
Address:	208.91.112.53#53

Non-authoritative answer:
Name:	www.cybersource.com
Address: 104.16.109.43
Name:	www.cybersource.com
Address: 104.16.110.43

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.