[185555] in North American Network Operators' Group
DNSSEC broken for login.microsoftonline.com
daemon@ATHENA.MIT.EDU (Bruce Curtis)
Tue Oct 27 11:42:35 2015
X-Original-To: nanog@nanog.org
From: Bruce Curtis <bruce.curtis@ndsu.edu>
To: North American Network Operators' Group <nanog@nanog.org>
Date: Tue, 27 Oct 2015 15:42:29 +0000
Errors-To: nanog-bounces@nanog.org
FYI our DNS requests to resolve login.microsoftonline.com are failing becau=
se of a DNSSEC error.
http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com
http://dnsviz.net/d/login.microsoftonline.com/dnssec/
ns1 domain]$ drill -DT login.microsoftonline.com
Warning: No trusted keys were given. Will not be able to verify authenticit=
y!
;; Domain: .
;; Signature ok but no chain to a trusted key or ds record
[S] . 172800 IN DNSKEY 257 3 8 ;{id =3D 19036 (ksk), size =3D 2048b}
. 172800 IN DNSKEY 256 3 8 ;{id =3D 62530 (zsk), size =3D 1024b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJ=
UxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcg=
ooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =3D 625=
30 (zsk), size =3D 1024b}
[S] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459=
588f4a9184cfc41a5766=20
;; Domain: com.
;; Signature ok but no chain to a trusted key or ds record
[S] com. 86400 IN DNSKEY 256 3 8 ;{id =3D 51797 (zsk), size =3D 1024b}
com. 86400 IN DNSKEY 257 3 8 ;{id =3D 30909 (ksk), size =3D 2048b}
[S] Existence denied: microsoftonline.com. DS
;; No ds record for delegation
;; Domain: microsoftonline.com.
;; No DNSKEY record found for microsoftonline.com.
;; No DS for login.microsoftonline.com.;; No ds record for delegation
;; Domain: login.microsoftonline.com.
;; No DNSKEY record found for login.microsoftonline.com.
[U] No data found for: login.microsoftonline.com. type A
;;[S] self sig OK; [B] bogus; [T] trusted
[ns1 domain]$=20
[ns1 domain]$ drill -DT medicare.gov
Warning: No trusted keys were given. Will not be able to verify authenticit=
y!
;; Domain: .
;; Signature ok but no chain to a trusted key or ds record
[S] . 172800 IN DNSKEY 256 3 8 ;{id =3D 62530 (zsk), size =3D 1024b}
. 172800 IN DNSKEY 257 3 8 ;{id =3D 19036 (ksk), size =3D 2048b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJ=
UxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcg=
ooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id =3D 625=
30 (zsk), size =3D 1024b}
[S] gov. 86400 IN DS 7698 8 1 6f109b46a80cea9613dc86d5a3e065520505aafe=20
gov. 86400 IN DS 7698 8 2 6bc949e638442ead0bdaf0935763c8d003760384ff15ebbd5=
ce86bb5559561f0=20
;; Domain: gov.
;; Signature ok but no chain to a trusted key or ds record
[S] gov. 86400 IN DNSKEY 256 3 8 ;{id =3D 13175 (zsk), size =3D 1024b}
gov. 86400 IN DNSKEY 257 3 8 ;{id =3D 7698 (ksk), size =3D 2048b}
Checking if signing key is trusted:
New key: gov. 86400 IN DNSKEY 256 3 8 AQPCY4NZARQ0HDzGismy6sZdJ17o2+yzmZSkw=
6d9PeeJ8NCnw9atj4PGHO50LX1Hy0n4YimUcDEXHu+sI4MBaeTkHY3ilsC2kpWGGOFW2fkXn6XN=
vvPVRjwk04hDsEFphOXPPdoXWjXtQiTVYkFpgUbxJYo24/JxM5JuC4v0+qDmLQ=3D=3D ;{id =
=3D 13175 (zsk), size =3D 1024b}
[S] medicare.gov. 3600 IN DS 16500 7 1 ea88786ecaa04e66322e4405b1c1a55e3148=
5281=20
medicare.gov. 3600 IN DS 16500 7 2 43a0e12df89bb342c15229495cd2bc18dddce0d9=
fb315aeb5b06b0d849b9a3ee=20
;; Domain: medicare.gov.
;; Signature ok but no chain to a trusted key or ds record
[S] medicare.gov. 7200 IN DNSKEY 256 3 7 ;{id =3D 58988 (zsk), size =3D 102=
4b}
medicare.gov. 7200 IN DNSKEY 256 3 7 ;{id =3D 41714 (zsk), size =3D 1024b}
medicare.gov. 7200 IN DNSKEY 257 3 7 ;{id =3D 16500 (ksk), size =3D 2048b}
[S] medicare.gov. 20 IN A 23.213.71.152
;;[S] self sig OK; [B] bogus; [T] trusted
---
Bruce Curtis bruce.curtis@ndsu.edu
Certified NetAnalyst II 701-231-8527
North Dakota State University =20