Domain doesn't resolve through Google DNS or other DNSSEC validating servers


#1

I’ve already sent multiple support requests to Dreamhost and google group discussion group
https://groups.google.com/forum/#!topic/public-dns-discuss/xBjI62Kz-sw

Sites used for testing and comparison:
http://dnssec-debugger.verisignlabs.com/devinliao.com I have DS records
http://dnssec-debugger.verisignlabs.com/dreamhost.com no DS records
http://dnsviz.net/d/devinliao.com/dnssec/
http://dnsviz.net/d/dreamhost.com/dnssec/
www.intodns.com/devinliao.com
www.intodns.com/dreamhost.com
http://dnscheck.pingdom.com/?domain=devinliao.com&timestamp=1373434385&view=1

Messages I’ve sent to support:

"The only major issue is that any DNS resolver that does DNSSEC validation returns a failure. Many people use Google DNS, or possibly other server (up to 4% of all DNS resolvers) that perform DNSSEC validation; they would just see that the website as down. If more more DNS resolvers start to perform validation, my site probably won’t load at all. (I’ve only tested with 4 DNS Servers)

My site is behaving similarly to the www.dnssec-failed.org site which will not load on dnssec validiting servers. I’ve first seen this problem when I was on my company’s wireless which is use Google DNS, and I’ve tried at home it also failed, then I had to switch DNS servers.

Not sure if this will help:
http://dnscheck.pingdom.com/?domain=devinliao.com&timestamp=1373434385&view=1

it says Inconsistent security for devinliao.com - DS found at parent, but no DNSKEY found at child.

The parent has a secure delegation to the child (indicated by DS RRset at the parent), but the child has no DNSKEY. This is probably due to a
previously signed zone that became unsigned without requesting the parent to remove the secure delegation.

Fails:
dig @149.20.64.20 devinliao.com +cd
dig @149.20.64.21 devinliao.com +cd
dig @8.8.8.8 devinliao.com +cd
dig @8.8.4.4 devinliao.com +cd

So far, support only stated that Dreamhost doesn’t support DNSSEC, however all my DNS reports on websites have inconsistencies with other websites.

www.intodns.com/dreamhost.com shows the A record
http://www.intodns.com/devinliao.com shows errors for WWW

http://dnsviz.net/d/devinliao.com/dnssec/ A lot of errors
http://dnsviz.net/d/dreamhost.com/dnssec/ just information

Here is the rest of my queries to support

When comparing with other domains hosted by DreamHost, the my domain is missing NSEC3, not sure if that is required, but most domains i’ve seen have it.

  • Was told that it was not needed and it is for DNSSEC.