Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Linux434837yMxtoolbox actually giving shit about DNSSEC is scary...
But, how did you enable DNSSEC on the registrar and not placed the RSIG data in the zone? -
@Linux I didn't actually check because once it was fixed, I didn't want to touch it, but I think this is what was going on:
The registar (Namecheap) doesn't actually allow you to set DNSSEC records manually (using their DNS servers). I think they generate the privkey and automatically sign all records. The only thing that I can think of that would've caused this was if they put a DS record in the TLD zone (.com), but didn't actually sign my records (RRSIG). When a (DNSSEC-aware) resolver came along, it found the DS record, but no RRSIG, so it spat out an error. Somewhere in the chain, there must've been a DNSSEC-oblovious resolver, that interpreted that as "no record", hence me sleeping only 3 hours.
All of this is pure speculation though, as all Namecheap lets me see is a "DNSSEC toggle" switch - which I will never be touching again. -
Linux434837y@franga2000
Well, either you, or one of the providers badly fucked up. And .com is the worst tld to fuck up DNSSEC with.
It was probably a ksk rollover that failed -
@Linux right, they did postopne it to sometime around now.
Either way, I claim full responsibility for clicking a button I shouldn't have right before half a week of national holidays.
I get a call: "Hey the site is down. Fix it!"
Worked on my workstation, not on my phone => DNS issue.
Local cache: "All OK"
ISP's DNS: "No record"
Google DNS: "Server error"
MXToolbox: "All OK"
CloudFlare DNS: "Domain? What domain?"
After a day of fucking around with configs and wanting to strangle the customer support guy, I just started pressing buttons, until suddenly, it worked. Turns out I'd accidentally enabled DNSSEC on a domain, that wasn't configured for it.
Lesson learned: There is no official DNS error code for "DNSSEC failed somewhere upstream". If you're lucky, you might get something useful out of the authoritative server, but apparently not on Mondays.
rant
fuck dns
fuck dnssec