Quoting Jason White (jason@jasonjgw.net):
Hello Luv members,
Greetings from the SCALE14x conference in Pasadena, California. https://www.socallinuxexpo.org/scale/14x
I've recently added DNSSec signatures to my domain (jasonjgw.net), and supplied the key to my DNS registrar, gandi.net.
Unfortunately, my ISP's name servers, which perform DNSSec validation, now return a SERVFAIL (indicating a validation failure) when I look up the domain. Google's public servers succeed, however, as DNSSec Analyzer appears to do: http://dnssec-debugger.verisignlabs.com/
The primary DNS server is running Bind 9 and I essentially followed the instructions here: https://nocko.se/2012/03/21/dnssec-quickly-and-correctly/
Is there anything that seems amiss?
I lack a solution, but wish to offer a data point, which being lazy, I had a Web site work out for me: http://www.dnsstuff.com/tools#dnsReport|type=domain&&value=jasonjgw.net finds no problems whatsoever with your DNSSec information. The report[1] offers tips on a number of other things, so I will comment on those, below: 1. SOA EXPIRE: $ dig -t soa jasonjgw.net @svr.jasonjgw.net +short svr.jasonjgw.net. jason.jasonjgw.net. 2016010101 3600 1200 9676800 10800 $ RFC1912 suggests a value between 1209600 to 2419200 seconds (14 to 28 days). You have 9676800 seconds = 112 days. Of course, you might have an edge condition making this desirable, but that would be rare. 2. svr.jasonjgw.net (IP 192.155.90.172) is cheerfully responding correctly to queries about its nameserver software type and verion, and OS/distro and version. On the one hand, some would say concealing this information is security by obscurity, but most sysadmins would say it's unwise to assist attackers in their preparatory task of 'resource discovery' (probing potential targets), especially without any compensating benefit. This is all derived from an unwise feature from early days of DNS called Chaosnet, a pseudo-TLD of class CHAOS publishing these data about the server: version: name version.bind, type TXT, class CHAOS hostname: name hostname.bind, type TXT, class CHAOS server-id: name ID.SERVER, type TXT, class CHAOS $ dig -t txt -c chaos version.bind @svr.jasonjgw.net +short "9.10.3-P2-RedHat-9.10.3-7.P2.fc23" $ dig -t txt -c chaos hostname.bind @svr.jasonjgw.net +short "svr.jasonjgw.net" $ dig -t txt -c chaos ID.SERVER @svr.jasonjgw.net +short $ FWIW, this is what my nameserver answers: $ dig -t txt -c chaos version.bind @ns1.linuxmafia.com +short "Shirley, you're joking" $ dig -t txt -c chaos hostname.bind @ns1.linuxmafia.com +short "ns1.linuxmafia.com" $ dig -t txt -c chaos ID.SERVER @ns1.linuxmafia.com +short $ BIND9 configuration for the above: options { [...] version "Shirley, you're joking"; hostname "ns1.linuxmafia.com"; [...] }; 3. One of your MXes (the third-priority one, opera.rednote.net) doesn't accept mail to your postmaster or abuse addresses. Example using postmaster: $ telnet opera.rednote.net smtp Trying 66.228.34.147... Connected to opera.rednote.net. Escape character is '^]'. opera.rednote.net ESMTP Sendmail 8.15.2/8.15.2; Sun, 24 Jan 2016 23:28:46 GMT HELO jasonjgw.net 250 opera.rednote.net Hello [38.98.46.140], pleased to meet you MAIL FROM: <rick@linuxmafia.com> 250 2.1.0 <rick@linuxmafia.com>... Sender ok RCPT TO: <postmaster@jasonjgw.net> 550 5.7.1 <postmaster@jasonjgw.net>... Relaying denied. IP name lookup failed [38.98.46.140] quit 221 2.0.0 opera.rednote.net closing connection Connection closed by foreign host. $ Domains sending and receiving mail are required by RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1 to have valid, deliverable postmaster@ and abuse@ addresses. [1] The site prorprietor allows random members of the public several free of charge uses of this CGI and then asks you to subscribe. Clearing cookies resets. -- Cheers, QA engineer walks into a bar. Orders a beer. Rick Moen Orders 0 beers. Orders 999999999 beers. Orders rick@linuxmafia.com a lizard. Orders -1 beers. Orders a sfdeljknesv. McQ! (4x80) -- @sempf, https://www.sempf.net/post/On-Testing1.aspx