Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Verisign's public DNS cannot resolve our domain

Greetings:

I am network administrator for Stephen F. Austin State University. Our domain is SFASU.EDU. Educause is the TLD for .EDU and is through whom we have our registration. Verisign has a correct WHOIS entry for our domain which reads:

Domain Name: SFASU.EDU
Registry Domain ID: 405928_DOMAIN_EDU-VRSN Registrar WHOIS Server: whois.educause.net Registrar URL: http://www.educause.edu/edudomain Updated Date: 2017-04-23T07:04:28Z Creation Date: 1991-04-22T04:00:00Z Registry Expiry Date: 2018-04-22T04:00:00Z
Registrar: Educause
Registrar IANA ID: 365
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: ok https://icann.org/epp#ok Name Server: NS1.SFASU.EDU Name Server: NS3.SFASU.EDU
DNSSEC: signedDelegation
DNSSEC DS Data: 1611 7 2 BF2BDDD655B71ABFF5D2829DF22123D277AF4EED07FB9CB30A8004540DFD81FD
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

However, Verisign's public DNS servers which I understand to be 64.6.64.6 and 64.6.65.6, both return the following:

> sfasu.edu
Server: [64.6.64.6]
Address: 64.6.64.6

*** [64.6.64.6] can't find sfasu.edu: Server failed
> server 64.6.65.6
Default Server: recpubns2.nstld.net
Address: 64.6.65.6

> sfasu.edu
Server: recpubns2.nstld.net
Address: 64.6.65.6

*** recpubns2.nstld.net can't find sfasu.edu: Server failed

Can someone examine this and determine why those public DNS servers cannot resolve us?

Thanks

Comments

  • Doing some DIGs it appears there is an issue with a broken chain of trust for your domain. You can see the errors at http://dnsviz.net/d/sfasu.edu/dnssec/

    You will need to ensure that your domain is signed at both the registry and on your name servers if you are utilizing DNSSEC.
  • Hello srasmussen ! We are reviewing your inquiry, and will follow up with you as soon as we have an update.
  • jcraft, we temporarily disabled dnssec. But, if you think that is the problem with regular resolution, we could pursue that. I was wondering if the problem might be our glue records.
  • Our resolvers validate DNSSEC, therefore if you have disabled DNSSEC on your nameservers but haven't actually removed the DS record from the registry, we would not resolve your domain due to the broken chain of trust. If you find the need to disable DNSSEC you should always ensure to also unsign your zone at the registry to prevent any resolution-related issues since DNSSEC-aware resolvers such as ours would fail your zone and subsequently would not resolve it. Hope this helps?
  • Turning DNSSEC back on, and will address the broken trust with Educause. Thanks. I'll post an update if things change.
Sign In or Register to comment.