client: DNSSEC for api-0.core.keybaseapi.com failing
Regular DNSSEC validation is failing. This issue prevents those enforcing DNSSEC from logging into the app, and does not provide much insight into what the issue is. I have included the output of dig, as well as dnssec-analyzer, and dnsviz to confirm this issue is not just on my end.
I believe this issued started happening a few days ago. Turning off DNSSEC validation fixes the issue. While regular DNSSEC validation is failing due to missing RRSIG records, top-down validation appears to be working, for what that’s worth.
dig . DNSKEY @8.8.8.8 | grep -Ev '^($|;)' | tee /tmp/root.keys
. 106294 IN DNSKEY 256 3 8 AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfsPBT+whyj0/Uh D7cWeixV9Wqzj/cnqs8iWELqhdzGX41ZtaNQUfWNfOriASnWmX2D9m/E unplHu8nMSlDnDcT7+llE9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG 39dyAb7tz21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qAQT1M gwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY6b1LTg34/YfHdiII ZQqAfqbieruCGHRiSscC2ZE7iNreL/76f4JyIEUNkt6bQA29JsegxorL zQkpF7NKqZc=
. 106294 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
. 106294 IN DNSKEY 385 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
dig +additional +besteffort +crypto +dnssec +nofail +identify +question +recurse +sigchase +trace +trusted-key=/tmp/root.keys +topdown api-0.core.keybaseapi.com @8.8.8.8
; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> +additional +besteffort +crypto +dnssec +nofail +identify +question +recurse +sigchase +trace +trusted-key=/tmp/root.keys api-0.core.keybaseapi.com @8.8.8.8
;; global options: +cmd
. 13922 IN NS j.root-servers.net.
. 13922 IN NS k.root-servers.net.
. 13922 IN NS e.root-servers.net.
. 13922 IN NS b.root-servers.net.
. 13922 IN NS h.root-servers.net.
. 13922 IN NS l.root-servers.net.
. 13922 IN NS a.root-servers.net.
. 13922 IN NS d.root-servers.net.
. 13922 IN NS g.root-servers.net.
. 13922 IN NS i.root-servers.net.
. 13922 IN NS m.root-servers.net.
. 13922 IN NS c.root-servers.net.
. 13922 IN NS f.root-servers.net.
. 13922 IN RRSIG NS 8 0 518400 20190305180000 20190220170000 16749 . RO9vbRY1ba30qUOz1850rvUOaC3NulvHBMzSECXChjHihOXroPLt/IEm PmYLg7yDlyekwjNyE8UNFMEB+O9YcTtPPO+Pis/3Wt8xayZIj4o2otHw tt3o7SgiDxqK8aupRxJooImaBJqXz2r8WxjXT1uAOja7mp2vtyjZwqWU YgFU6Rn+Aca62RS41V+i4gSte2sAvVSwoU3u8evDC4uLjOdqc2HrvSGi DFv5J9pQnBljge9Gcutw74q3aPwjcRauFgZ5d/YZwmScbeVwfOwSibME nXVx0+jtmWfKE+XxdG3uQj7kvDZ/N74JAmDp0wAMFWCSwnlpTjuaizBj O0MZrQ==
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20190308170000 20190223160000 16749 . JI1Ucc/thWUydXM16hX+xAH64173z8rYEcAkuie81u3O92eSiyDakmPD Fdn4va61rxgH54IsS0mMn7qdEyGLibDbLPDfPVp5lDl3PYyiZa6YoMLk ZOiY5hIZ4uqbf03ioMezL/qwQA9F1TXYYOxX11SfKZv03ZjhWrgHtJIu P71xz682JRixdSrCDvB9sFqmPjm67dVkvlhDxb4wgBJ5ka0hlFbJupS0 mMIke68dspu+ICcb3EAMJFeXeKgyLSCMyATc3UPhleNv5zIh8FxqCIu1 awmgSc8QhPBtdY52y5xHdgKr40WWrplL5xOD79Xh9f9lTNHmrcN9lhOO Ka/xvQ==
keybaseapi.com. 172800 IN NS ns-467.awsdns-58.com.
keybaseapi.com. 172800 IN NS ns-788.awsdns-34.net.
keybaseapi.com. 172800 IN NS ns-1197.awsdns-21.org.
keybaseapi.com. 172800 IN NS ns-1867.awsdns-41.co.uk.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190228054417 20190221043417 16883 com. RiB0Vau40snx25D4+erUpcMrBRp1TPMc1So1NNWgaWdeGyw8I0E2+xFt jeDWy+HvxTbimSKBWem8KoY/sTtlsMRlYA0621UYqSCnNhuMNPRinFUo aBLeVZ0oitwZ+Y45mOE0UpOnG9IPuYGHJ3wQLPjOEhWt7/dqHdr+lCc2 t3s=
BNCLDMFMP5K1222TAN15G7DHV19RD26S.com. 86400 IN NSEC3 1 1 0 - BNCM9F8A7K6HTTCLG03JMTD2GEOL2IIV NS DS RRSIG
BNCLDMFMP5K1222TAN15G7DHV19RD26S.com. 86400 IN RRSIG NSEC3 8 2 86400 20190228060503 20190221045503 16883 com. QFUMaPHA+WmTrqnR1gvG/sKp6p5aNTZ5nO31ZwU1IW/6ceovRXxtLreo kCYbZ9T58+Yu1mG3oBKnYZOhOF1AGw8iUzOncGWv+/Cgskp5QofJG+pA dZ7zwzIccZy2Xs+1xbajClh1Rx0471Z+8ylWvTXD3H8uUcQHV1DjsNQj CsQ=
api-0.core.keybaseapi.com. 60 IN A 52.201.110.180
api-0.core.keybaseapi.com. 60 IN A 52.205.52.74
keybaseapi.com. 172800 IN NS ns-1197.awsdns-21.org.
keybaseapi.com. 172800 IN NS ns-1867.awsdns-41.co.uk.
keybaseapi.com. 172800 IN NS ns-467.awsdns-58.com.
keybaseapi.com. 172800 IN NS ns-788.awsdns-34.net.
;; RRset to chase:
api-0.core.keybaseapi.com. 60 IN A 52.201.110.180
api-0.core.keybaseapi.com. 60 IN A 52.205.52.74
Launch a query to find a RRset of type RRSIG for zone: api-0.core.keybaseapi.com.
api-0.core.keybaseapi.com. 60 IN A 52.201.110.180
api-0.core.keybaseapi.com. 60 IN A 52.205.52.74
keybaseapi.com. 172800 IN NS ns-1197.awsdns-21.org.
keybaseapi.com. 172800 IN NS ns-1867.awsdns-41.co.uk.
keybaseapi.com. 172800 IN NS ns-467.awsdns-58.com.
keybaseapi.com. 172800 IN NS ns-788.awsdns-34.net.
;; RRSIG is missing for continue validation: FAILED
Top down validation is working however:
dig +additional +besteffort +crypto +dnssec +nofail +identify +question +recurse +sigchase +trace +trusted-key=/tmp/root.keys +topdown api-0.core.keybaseapi.com @8.8.8.8
; <<>> DiG 9.11.5-P1-1ubuntu2-Ubuntu <<>> +additional +besteffort +crypto +dnssec +nofail +identify +question +recurse +sigchase +trace +trusted-key=/tmp/root.keys +topdown api-0.core.keybaseapi.com @8.8.8.8
;; global options: +cmd
. 209854 IN NS a.root-servers.net.
. 209854 IN NS b.root-servers.net.
. 209854 IN NS c.root-servers.net.
. 209854 IN NS d.root-servers.net.
. 209854 IN NS e.root-servers.net.
. 209854 IN NS f.root-servers.net.
. 209854 IN NS g.root-servers.net.
. 209854 IN NS h.root-servers.net.
. 209854 IN NS i.root-servers.net.
. 209854 IN NS j.root-servers.net.
. 209854 IN NS k.root-servers.net.
. 209854 IN NS l.root-servers.net.
. 209854 IN NS m.root-servers.net.
. 209854 IN RRSIG NS 8 0 518400 20190307200000 20190222190000 16749 . jTDXZpkqGjhKvf4L1D7Kh1KJ5jXC01Y7be9FyaLjL63OlYJyUylMCnoC zv4nXl7urnJeFRRZR4RpxoW2VEf5BiLufgzKPtyC862x5E+poYIFFnww x2Sc4/QNiiAVHJRxY3GDBFuoQ4+TG/LL9iG04AWpbLfF7jqVTq1XzMnm vFyOPYw/ygqO8dqNbPPXrEeg1lnKPcqYwxXKF5njcfqQfGKExUmnW4ZH i0QLAVIf/VTGoqCjn7sTOnQ9vPc3LjAQzFA9f41/EfA3gDNOKm9WHUKw XutA82F5UdNjycEJMg6v9KfXC/NJ9PvwaNU1SM2IjSJSUe2BYMYDOU3R TwxsYg==
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20190308170000 20190223160000 16749 . D1fW1mD8f+bOvNvXv1/MiFPH6H2M5ejRilQAdjZZDd/qKQXWqewplc17 hXHVVxhZRwddD5uM7RGq14nO71g24fklLM3vXQzDX3sHGhIVtM/tNc86 Eo5kJyPdEa/+mr3ho3SJ/Tz3+WeXJvEI3+H82GxHP8CnfsNarhY4r6kr bwa3WiQiqukSt1ZH7/tYXXqSc2zc6Hfw7qqQ5Wy6glNI2PtmIGbcVHKL cmmbMNopQhrB7f6J3LR8f0Hx41LgG6YETzZplMpNWggUWwURcoTtF0+Z 5Q0dpuRfmv+gJ6XNuDi2r4SuG8iZqa4L4ZSsH8O704t39pbzPMZVwo7+ WzfLwA==
ns name: 198.41.0.4
ns name: 199.9.14.201
ns name: 192.33.4.12
ns name: 199.7.91.13
ns name: 192.203.230.10
ns name: 192.5.5.241
ns name: 192.112.36.4
ns name: 198.97.190.53
ns name: 192.36.148.17
ns name: 192.58.128.30
ns name: 193.0.14.129
ns name: 199.7.83.42
ns name: 202.12.27.33
Launch a query to find a RRset of type NS for zone: . with nameservers:
. 209854 IN NS a.root-servers.net.
. 209854 IN NS b.root-servers.net.
. 209854 IN NS c.root-servers.net.
. 209854 IN NS d.root-servers.net.
. 209854 IN NS e.root-servers.net.
. 209854 IN NS f.root-servers.net.
. 209854 IN NS g.root-servers.net.
. 209854 IN NS h.root-servers.net.
. 209854 IN NS i.root-servers.net.
. 209854 IN NS j.root-servers.net.
. 209854 IN NS k.root-servers.net.
. 209854 IN NS l.root-servers.net.
. 209854 IN NS m.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20190308170000 20190223160000 16749 . D1fW1mD8f+bOvNvXv1/MiFPH6H2M5ejRilQAdjZZDd/qKQXWqewplc17 hXHVVxhZRwddD5uM7RGq14nO71g24fklLM3vXQzDX3sHGhIVtM/tNc86 Eo5kJyPdEa/+mr3ho3SJ/Tz3+WeXJvEI3+H82GxHP8CnfsNarhY4r6kr bwa3WiQiqukSt1ZH7/tYXXqSc2zc6Hfw7qqQ5Wy6glNI2PtmIGbcVHKL cmmbMNopQhrB7f6J3LR8f0Hx41LgG6YETzZplMpNWggUWwURcoTtF0+Z 5Q0dpuRfmv+gJ6XNuDi2r4SuG8iZqa4L4ZSsH8O704t39pbzPMZVwo7+ WzfLwA==
ns name: 198.41.0.4
ns name: 199.9.14.201
ns name: 192.33.4.12
ns name: 199.7.91.13
ns name: 192.203.230.10
ns name: 192.5.5.241
ns name: 192.112.36.4
ns name: 198.97.190.53
ns name: 192.36.148.17
ns name: 192.58.128.30
ns name: 193.0.14.129
ns name: 199.7.83.42
ns name: 202.12.27.33
Launch a query to find a RRset of type NS for zone: . with nameservers:
. 209854 IN NS a.root-servers.net.
. 209854 IN NS b.root-servers.net.
. 209854 IN NS c.root-servers.net.
. 209854 IN NS d.root-servers.net.
. 209854 IN NS e.root-servers.net.
. 209854 IN NS f.root-servers.net.
. 209854 IN NS g.root-servers.net.
. 209854 IN NS h.root-servers.net.
. 209854 IN NS i.root-servers.net.
. 209854 IN NS j.root-servers.net.
. 209854 IN NS k.root-servers.net.
. 209854 IN NS l.root-servers.net.
. 209854 IN NS m.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20190308170000 20190223160000 16749 . D1fW1mD8f+bOvNvXv1/MiFPH6H2M5ejRilQAdjZZDd/qKQXWqewplc17 hXHVVxhZRwddD5uM7RGq14nO71g24fklLM3vXQzDX3sHGhIVtM/tNc86 Eo5kJyPdEa/+mr3ho3SJ/Tz3+WeXJvEI3+H82GxHP8CnfsNarhY4r6kr bwa3WiQiqukSt1ZH7/tYXXqSc2zc6Hfw7qqQ5Wy6glNI2PtmIGbcVHKL cmmbMNopQhrB7f6J3LR8f0Hx41LgG6YETzZplMpNWggUWwURcoTtF0+Z 5Q0dpuRfmv+gJ6XNuDi2r4SuG8iZqa4L4ZSsH8O704t39pbzPMZVwo7+ WzfLwA==
Launch a query to find a RRset of type DNSKEY for zone: .
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
. 172800 IN DNSKEY 256 3 8 AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfsPBT+whyj0/Uh D7cWeixV9Wqzj/cnqs8iWELqhdzGX41ZtaNQUfWNfOriASnWmX2D9m/E unplHu8nMSlDnDcT7+llE9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG 39dyAb7tz21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qAQT1M gwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY6b1LTg34/YfHdiII ZQqAfqbieruCGHRiSscC2ZE7iNreL/76f4JyIEUNkt6bQA29JsegxorL zQkpF7NKqZc=
. 172800 IN DNSKEY 385 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
. 172800 IN RRSIG DNSKEY 8 0 172800 20190313000000 20190220000000 20326 . bKvs4iBtsS7x4UItBsNxJnGzKUowmON76AJt6DQlUjcDXdmNUGW0DNfw z91UCnfonlNeG09mCbRFzhfrgNiE2Niu0Qxh+EcygOjuy1uObcPgFBUs Kp201u0WFQwrUl4O0NQfPY5Fa01e44v1u+L/yj2WK4gW2BKfW+5d9GIJ hWRAPYWphOiG0+G1MUlWQ45cS07wu2X90+UDREw0prI0c4yJ9OiI6OnS vUvDhoyIgf5oHHYPieU7qu/aaiY8MdyJgfIelmFA65VzLDsTAHGoaagx JEolJehWSJl6AhY0mIs6lF2WXVCtEQbdLocsuCXln3w/n8jO2oJBotQ7 S6E4bQ==
. 172800 IN RRSIG DNSKEY 8 0 172800 20190313000000 20190220000000 19164 . eyvOQiC637051ggBwNwq0Kle0vatTO4HrfxgLlRcVDWGZeYVoDRGkqPi CyC1K1HvUrRQHB8vbXfdhrVfXJpjh9e1+Uf403++n6J94wMi2UlAmUkN wo6ROE9JcT4QFpQrUj1TPqY9DpdRrRUYgAPl/PNCvKwIvbwSt4I070PL GGPeumOIPCeZr7YMt8ewiCS3uwOUJB6bk8qUo4tQeL5pkPpmFgozw2v7 JT/8nTZfbu6T0+9GmqRDxvizFVZ8lQRKZZif+Ilyb+Lz7j2XHiI0JszL EQ5vQKLKEtBtyHwcL7ZPgbN/mpN9ik8h/Jx0H1hjhaS+jSCBBulq+hde 8GFH0A==
;; DNSKEYset:
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
. 172800 IN DNSKEY 256 3 8 AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfsPBT+whyj0/Uh D7cWeixV9Wqzj/cnqs8iWELqhdzGX41ZtaNQUfWNfOriASnWmX2D9m/E unplHu8nMSlDnDcT7+llE9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG 39dyAb7tz21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qAQT1M gwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY6b1LTg34/YfHdiII ZQqAfqbieruCGHRiSscC2ZE7iNreL/76f4JyIEUNkt6bQA29JsegxorL zQkpF7NKqZc=
. 172800 IN DNSKEY 385 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
;; RRSIG of the DNSKEYset:
. 172800 IN RRSIG DNSKEY 8 0 172800 20190313000000 20190220000000 20326 . bKvs4iBtsS7x4UItBsNxJnGzKUowmON76AJt6DQlUjcDXdmNUGW0DNfw z91UCnfonlNeG09mCbRFzhfrgNiE2Niu0Qxh+EcygOjuy1uObcPgFBUs Kp201u0WFQwrUl4O0NQfPY5Fa01e44v1u+L/yj2WK4gW2BKfW+5d9GIJ hWRAPYWphOiG0+G1MUlWQ45cS07wu2X90+UDREw0prI0c4yJ9OiI6OnS vUvDhoyIgf5oHHYPieU7qu/aaiY8MdyJgfIelmFA65VzLDsTAHGoaagx JEolJehWSJl6AhY0mIs6lF2WXVCtEQbdLocsuCXln3w/n8jO2oJBotQ7 S6E4bQ==
. 172800 IN RRSIG DNSKEY 8 0 172800 20190313000000 20190220000000 19164 . eyvOQiC637051ggBwNwq0Kle0vatTO4HrfxgLlRcVDWGZeYVoDRGkqPi CyC1K1HvUrRQHB8vbXfdhrVfXJpjh9e1+Uf403++n6J94wMi2UlAmUkN wo6ROE9JcT4QFpQrUj1TPqY9DpdRrRUYgAPl/PNCvKwIvbwSt4I070PL GGPeumOIPCeZr7YMt8ewiCS3uwOUJB6bk8qUo4tQeL5pkPpmFgozw2v7 JT/8nTZfbu6T0+9GmqRDxvizFVZ8lQRKZZif+Ilyb+Lz7j2XHiI0JszL EQ5vQKLKEtBtyHwcL7ZPgbN/mpN9ik8h/Jx0H1hjhaS+jSCBBulq+hde 8GFH0A==
;; Ok, find a Trusted Key in the DNSKEY RRset: 20326
;; VERIFYING DNSKEY RRset for . with DNSKEY:20326: success
;; VERIFYING NS RRset for . with DNSKEY:16749: success
;; The Answer:
. 209854 IN NS a.root-servers.net.
. 209854 IN NS b.root-servers.net.
. 209854 IN NS c.root-servers.net.
. 209854 IN NS d.root-servers.net.
. 209854 IN NS e.root-servers.net.
. 209854 IN NS f.root-servers.net.
. 209854 IN NS g.root-servers.net.
. 209854 IN NS h.root-servers.net.
. 209854 IN NS i.root-servers.net.
. 209854 IN NS j.root-servers.net.
. 209854 IN NS k.root-servers.net.
. 209854 IN NS l.root-servers.net.
. 209854 IN NS m.root-servers.net.
;; FINISH : we have validate the DNSSEC chain of trust: SUCCESS
;; cleanandgo
api-0.core.keybaseapi.com/A: A query for api-0.core.keybaseapi.com results in a NOERROR response, while a query for its ancestor, core.keybaseapi.com, returns a name error (NXDOMAIN), which indicates that subdomains of core.keybaseapi.com, including api-0.core.keybaseapi.com, don’t exist. (205.251.193.211, 205.251.195.20, 205.251.196.173, 205.251.199.75, 2600:9000:5301:d300::1, 2600:9000:5303:1400::1, 2600:9000:5304:ad00::1, 2600:9000:5307:4b00::1, UDP_-_EDNS0_4096_D_K)
Checking DS between com and keybaseapi.com
No DS records found for keybaseapi.com in the com zone
No DNSKEY records found
keybaseapi.com is authoritative for api-0.core.keybaseapi.com
api-0.core.keybaseapi.com A RR has value 52.201.110.180
api-0.core.keybaseapi.com A RR has value 52.205.52.74
No RRSIGs found
systemd-resolve logs
Feb 22 22:04:02 server systemd-resolved[1754]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN SOA: failed-auxiliary
-- Subject: DNSSEC validation failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- Documentation: man:systemd-resolved.service(8)
--
-- A DNS query or resource record set failed DNSSEC validation. This is usually
-- indication that the communication channel used was tampered with.
Feb 22 22:04:02 server systemd-resolved[1754]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN AAAA: failed-auxiliary
-- Subject: DNSSEC validation failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- Documentation: man:systemd-resolved.service(8)
--
-- A DNS query or resource record set failed DNSSEC validation. This is usually
-- indication that the communication channel used was tampered with.
Feb 22 22:04:02 server systemd-resolved[1754]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN A: failed-auxiliary
-- Subject: DNSSEC validation failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- Documentation: man:systemd-resolved.service(8)
--
-- A DNS query or resource record set failed DNSSEC validation. This is usually
-- indication that the communication channel used was tampered with.
Feb 22 22:04:02 server systemd-resolved[1754]: DNSSEC validation failed for question bserver-0.kbfs.keybaseapi.com IN A: failed-auxiliary
-- Subject: DNSSEC validation failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- Documentation: man:systemd-resolved.service(8)
--
-- A DNS query or resource record set failed DNSSEC validation. This is usually
-- indication that the communication channel used was tampered with.
Feb 22 22:04:02 server systemd-resolved[1754]: DNSSEC validation failed for question mdserver-1.kbfs.keybaseapi.com IN A: failed-auxiliary
-- Subject: DNSSEC validation failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- Documentation: man:systemd-resolved.service(8)
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 17 (6 by maintainers)
Done.
FWIW, I have
allow-downgradeset, so I can resolve domains that don’t provide DNSSEC, but it’s throwing an error becausecore.keybaseapi.comhas no records pointing to where to resolve the next level up (*.core.keybaseapi.com). Which is also why I think it validates when resolved from the top down, but not the bottom up.I think adding the same amazon NS records for the
coresubdomain would fix it (it being minor usability, not security, issue).@pzduniak It might be worth reading this output:
It’s not a DNSSEC issue but rather a general DNS error, core.keybaseapi.com should not return NXDOMAIN.