Aug 22 2013 0

DNSSEC Issues

I recently noticed that when I was using Google Public DNS I could not reach my own domain at littlegemsoftware.com. Using other DNS services like my own ISP or for instance OpenDNS everything was working fine.

If it would have been just for me, switching to another DNS service would have been fine. However I am running services on littlegemsoftware.com for my iOS application WoW Realms and obviously I have no say in the matter what my users will be using for their DNS service.

Using the nslookup command was able to get some additional information what was going on.

Open DNS

nslookup littlegemsoftware.com 208.67.222.222
Server:        208.67.222.222
Address:    208.67.222.222#53

Non-authoritative answer:
Name:    littlegemsoftware.com
Address: 83.80.209.129

Google DNS

Primary Nameserver

nslookup littlegemsoftware.com 8.8.8.8
Server:        8.8.8.8
Address:    8.8.8.8#53

** server can't find littlegemsoftware.com: SERVFAIL

Secondary Nameserver

nslookup littlegemsoftware.com 8.8.4.4
Server:        8.8.4.4
Address:    8.8.4.4#53

** server can't find littlegemsoftware.com: SERVFAIL

Debugging DNSSEC

Verisgn Labs provides an online tool for testing domains for DNSSEC issues, called DNS Analyzer. From the output the following issues were detected (DNSKEY, RRSIGs)

DNSSEC Analyzer results

Conclusion no DNSKEY and RRSIGs for the littlegemsoftware.com-domain, but there is for the parent domain .com.

A Google search confirms that as of March 19, 2013 Google has enabled DNSSEC validation.

For the littlegemsoftware.com-domain I am using Hover.com as registrar and name services, but when I logged into my account and reviewed the DNS settings there are no settings for DNSKEY, RRSIGS or DNSSEC.

After contacting Hover Support and some back and forth, the issue was resolved by removing the DNSSEC settings for my domain.

nslookup littlegemsoftware.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   littlegemsoftware.com
Address: 83.80.209.129

So if you owner of a domain it would be wise to check whether or not it can be resolved using some of the more popular DNS services.


Previous post
Integrating Pushover into Raspberry Pi Project In my previous post I talked about using the Pushover service for sending notifications from the Raspberry Pi to my mobile devices. Now it is time
Next post
Rule definitions In my previous post I detailed the changes to the data collecting Python script and an additional script fired by crontab. In this post I will
This blog is powered by Blot