It isn’t DNSSEC. It’s a badly configured DNS server that is claiming that it serves .com rather than dnssec-analyzer-gslb.verisignlabs.com which is actually delegated to it.
% dig dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all ;; BADCOOKIE, retrying. ; <<>> DiG 9.19.24-dev <<>> dnssec-analyzer-gslb.verisignlabs.com aaaa +trace +all ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37498 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: c5e52f94b77c61ce01000000662edf9c4fed996a259c1d43 (good) ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 277488 IN NS f.root-servers.net. . 277488 IN NS d.root-servers.net. . 277488 IN NS l.root-servers.net. . 277488 IN NS k.root-servers.net. . 277488 IN NS a.root-servers.net. . 277488 IN NS e.root-servers.net. . 277488 IN NS j.root-servers.net. . 277488 IN NS h.root-servers.net. . 277488 IN NS g.root-servers.net. . 277488 IN NS m.root-servers.net. . 277488 IN NS c.root-servers.net. . 277488 IN NS i.root-servers.net. . 277488 IN NS b.root-servers.net. . 277488 IN RRSIG NS 8 0 518400 20240508210000 20240425200000 5613 . YeVEKbhLW5fUll0QPjIjDWfKbmrnJ/paeh/H86oG17GPeoFRWkecq+iM 8kjxy28AHg7cElZ3w8Lq0GND+DJUCYItS6cOHdQ07XdEFCPAoXMnVQe2 sBwd5nRu8tjH/I6NOn43DtfGkNMxzoHZf/64UeWeMFF8tjlD3y9Y+TQ1 UjBU0kzpsYXkl+QYHsNJ1nABDH3gdlTqpCmtrVA1UUgDjC/12KLSIiQH ykSABJZbHnOsDc7OaRH25QLZadE6zrUwP1xiEZuDfe4xuoz2z5WSBQbv 6JjCGVpm1WDILRra64v4BpO0kVUYE5fvJgAOV2cJwJwhM4gpcBNlMvG7 e3+WFA== ;; ADDITIONAL SECTION: i.root-servers.net. 172568 IN AAAA 2001:7fe::53 d.root-servers.net. 172568 IN AAAA 2001:500:2d::d h.root-servers.net. 172568 IN AAAA 2001:500:1::53 j.root-servers.net. 172568 IN AAAA 2001:503:c27::2:30 c.root-servers.net. 172568 IN AAAA 2001:500:2::c e.root-servers.net. 172568 IN AAAA 2001:500:a8::e g.root-servers.net. 172568 IN AAAA 2001:500:12::d0d l.root-servers.net. 172568 IN AAAA 2001:500:9f::42 m.root-servers.net. 172568 IN AAAA 2001:dc3::35 k.root-servers.net. 172568 IN AAAA 2001:7fd::1 a.root-servers.net. 172568 IN AAAA 2001:503:ba3e::2:30 f.root-servers.net. 172568 IN AAAA 2001:500:2f::f b.root-servers.net. 172568 IN AAAA 2801:1b8:10::b i.root-servers.net. 172568 IN A 192.36.148.17 d.root-servers.net. 172568 IN A 199.7.91.13 h.root-servers.net. 172568 IN A 198.97.190.53 j.root-servers.net. 172568 IN A 192.58.128.30 c.root-servers.net. 172568 IN A 192.33.4.12 e.root-servers.net. 172568 IN A 192.203.230.10 g.root-servers.net. 172568 IN A 192.112.36.4 l.root-servers.net. 172568 IN A 199.7.83.42 m.root-servers.net. 172568 IN A 202.12.27.33 k.root-servers.net. 172568 IN A 193.0.14.129 a.root-servers.net. 172568 IN A 198.41.0.4 f.root-servers.net. 172568 IN A 192.5.5.241 b.root-servers.net. 172568 IN A 170.247.170.2 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Mon Apr 29 09:45:32 AEST 2024 ;; MSG SIZE rcvd: 1125 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65435 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;dnssec-analyzer-gslb.verisignlabs.com. IN AAAA ;; AUTHORITY SECTION: com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A com. 86400 IN RRSIG DS 8 1 86400 20240511170000 20240428160000 5613 . LVYx+2et07A9D8yQEvJfEZuAwwa8jIkmPueaMjyyO4lw0IHMYuQMGTMi FGReNSmz9AjHkr6w6c+Xk/mIBM7busd6QppQvtHCwTuVywVZQA1FZUAw nKpmp85aFsQyFQRKAIbbdRT1r1MTf7AOzRoi7d1mRsuKbAvzTAMfaXzB sfI9dL6Hsl7vdGBYrkAWJ1XawlVaJJ+DPPqISBaI5dTboKH3FGV5Kdyd 5Pxf/6JGMm4JF4ojARGutPotyz9cE2GrDDHQEg2nsH0WE5WM6SpsRz4B gyoDolcj2Kg+AA/1xDeh8vspAe0mmf1RPHQ0XJ7Z1TkiSQOINWdgK2J0 f0SrYA== ;; ADDITIONAL SECTION: m.gtld-servers.net. 172800 IN A 192.55.83.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 c.gtld-servers.net. 172800 IN A 192.26.92.30 b.gtld-servers.net. 172800 IN A 192.33.14.30 a.gtld-servers.net. 172800 IN A 192.5.6.30 m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30 l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30 k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30 j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30 i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30 h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30 g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30 f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30 e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30 d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30 c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 ;; Query time: 26 msec ;; SERVER: 202.12.27.33#53(m.root-servers.net) (UDP) ;; WHEN: Mon Apr 29 09:45:32 AEST 2024 ;; MSG SIZE rcvd: 1200 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52153 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec-analyzer-gslb.verisignlabs.com. IN AAAA ;; AUTHORITY SECTION: verisignlabs.com. 172800 IN NS av1.nstld.com. verisignlabs.com. 172800 IN NS av2.nstld.com. verisignlabs.com. 172800 IN NS av3.nstld.com. verisignlabs.com. 172800 IN NS av4.nstld.com. verisignlabs.com. 86400 IN DS 57947 8 2 64877DB0EA66B229FBE8380DECF40A8BA36114F5FB34B5BFAEF0716D 6029638D verisignlabs.com. 86400 IN RRSIG DS 13 2 86400 20240502052902 20240425041902 956 com. j8YWPzlFzSD83jx0HC004wVGd6R5Hqz82BVUTb8m+5CqrPSeQ2UX97pd 1bOA5j0fzowzGF4zsvjA5cjSKDlSKA== ;; ADDITIONAL SECTION: av1.nstld.com. 172800 IN A 192.42.177.30 av1.nstld.com. 172800 IN AAAA 2001:500:124::30 av2.nstld.com. 172800 IN A 192.42.178.30 av2.nstld.com. 172800 IN AAAA 2001:500:125::30 av3.nstld.com. 172800 IN A 192.82.133.30 av3.nstld.com. 172800 IN AAAA 2001:500:126::30 av4.nstld.com. 172800 IN A 192.82.134.30 av4.nstld.com. 172800 IN AAAA 2001:500:127::30 ;; Query time: 128 msec ;; SERVER: 192.52.178.30#53(k.gtld-servers.net) (UDP) ;; WHEN: Mon Apr 29 09:45:32 AEST 2024 ;; MSG SIZE rcvd: 467 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56552 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec-analyzer-gslb.verisignlabs.com. IN AAAA ;; AUTHORITY SECTION: dnssec-analyzer-gslb.verisignlabs.com. 3600 IN NS gslb.ash3.verisign.com. dnssec-analyzer-gslb.verisignlabs.com. 3600 IN NS gslb.brn1.verisign.com. dnssec-analyzer-gslb.verisignlabs.com. 3600 IN NS gslb.ilg1.verisign.com. 9B8BK6V53SSJHHL01Q7GGA3O31TUHIVE.verisignlabs.com. 86400 IN NSEC3 1 0 0 4C44934802D3 AAAFG2SNSI2PBNCSPUNVFHRU1J714K27 NS 9B8BK6V53SSJHHL01Q7GGA3O31TUHIVE.verisignlabs.com. 86400 IN RRSIG NSEC3 8 3 86400 20240527231954 20240427231954 16498 verisignlabs.com. QUDmmS5XYcRK8d2xKLuBpM+jAKhN5OFse2pgY6UlDsr+NmgJaKbsWYYk DbiMMI0tSoxKPJHGqiCiPFEq34d6EdfV6wpMX2+ZgYym15b8CTgj3tj3 MUQWuHT6ZrA37p6sCy3kvzDYBiJ+o3jvka4h6J0am4EH/DEkSCgyfKLl 0DI= ;; Query time: 125 msec ;; SERVER: 192.82.133.30#53(av3.nstld.com) (UDP) ;; WHEN: Mon Apr 29 09:45:32 AEST 2024 ;; MSG SIZE rcvd: 403 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2124 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec-analyzer-gslb.verisignlabs.com. IN AAAA ;; AUTHORITY SECTION: com. 60 IN SOA this.name.is.invalid. hostmaster.this.name.is.invalid. 2023030710 10800 3600 604800 60 ;; Query time: 299 msec ;; SERVER: 2620:74:a4::16#53(gslb.ash3.verisign.com) (UDP) ;; WHEN: Mon Apr 29 09:45:32 AEST 2024 ;; MSG SIZE rcvd: 133 % > On 28 Apr 2024, at 16:17, Walter H. via bind-users <bind-users@lists.isc.org> > wrote: > > On 27.04.2024 16:54, Lee wrote: >> On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users >> <bind-users@lists.isc.org> wrote: >>> # host dnssec-analyzer.verisignlabs.com >>> dnssec-analyzer.verisignlabs.com is an alias for >>> dnssec-analyzer-gslb.verisignlabs.com. >>> dnssec-analyzer-gslb.verisignlabs.com has address 209.131.158.42 >>> >> Right, the IPv4 address lookup works. Now try looking up the IPv6 address. > > if there was one it would be presented there > > see here for full answer > > # host one.one.one.one > one.one.one.one has address 1.1.1.1 > one.one.one.one has address 1.0.0.1 > one.one.one.one has IPv6 address 2606:4700:4700::1001 > one.one.one.one has IPv6 address 2606:4700:4700::1111 > >> >> I get a status: SERVFAIL instead of a status: NOERROR >> >> $ dig dnssec-analyzer.verisignlabs.com aaaa >> >> ; <<>> DiG 9.16.48-Debian <<>> dnssec-analyzer.verisignlabs.com aaaa >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60491 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> Lee > > this can't be a matter of DNSSEC, as there are only signed whole zones and > not just single DNS-records ... > > would it be a problem with just this DNS zone, why are only problems getting > the IPv6? > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users