Terrible trouble with DNSSEC and GoDaddy

Mark Andrews marka at isc.org
Sun Oct 13 23:55:44 UTC 2013

Firstly you could tell us what *zone* you are having problems with.
While GoDaddy may not be telling you want you need you are not
telling us what we need to know to help you.

I don't blame GoDaddy for wanting to make sure that the delegation
is correct before you add DS record.  DNSSEC can't fix a broken
configuration, it can only make it worse.

Assuming the zone is john-oliver.net you could start with making
sure the NS RRset matches that you have requested to be published
in the COM zone.  You could also ensure that the zone is *signed*
before requesting DS records be added.

; <<>> DiG 9.10.0a1 <<>> john-oliver.net ns +dnssec @ns2.sdsitehosting.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62737
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags: do; udp: 4096
;john-oliver.net.		IN	NS

john-oliver.net.	3600	IN	NS	ns2.sdsitehosting.net.

ns2.sdsitehosting.net.	3600	IN	A
ns2.sdsitehosting.net.	3600	IN	AAAA	2600:3c01::f03c:91ff:fe96:bbec

;; Query time: 180 msec
;; SERVER: 2600:3c01::f03c:91ff:fe96:bbec#53(2600:3c01::f03c:91ff:fe96:bbec)
;; WHEN: Mon Oct 14 10:25:20 EST 2013
;; MSG SIZE  rcvd: 120

In message <slrnl5m4fp.v6.joliver at ns2.sdsitehosting.net>, John Oliver writes:
> I've been trying for three weeks to get GoDaddy to add a DS record for
> one of my zones.  Some of the excuses they've given as to why the fact
> this hasn't happened is actually my fault:
> "At this time, the issue is due to one or more nameservers associated
> with the domain are not being configured correctly.  Once the
> configuration issues with the nameservers has been resolved, you will be
> able to add a DS record to the domain without issue."
> What's the configuration issue?  Turn sout to be a missing NS record.
> OK, now you can add the DS record, right?
> "We pinged the nameserver, puck.nether.net and it did reply. However,
> when we pinged NS2.SDSITEHOSTING.NET, the request timed out. We ask that
> you review this matter with your current host to ensure that the
> nameserver is properly configured."

ICMP ECHO is a standard tool for connectivity testing.  There is
no sane reason to block echo requests to a nameserver.  All blocking
does is make diagnosis of problems harder.  And if you are going
to block ICMP ECHO request send back ADMIN PROHIBITED.  Do not just
drop the packet.

> Flamethrower opened on low, just enough to singe a bit.
> "This has been reviewed by our administrators and has been determined to
> be an issue with the nameserver NS2.SDSITEHOSTING.NET itself. Your
> hosting provider will need to review this nameserver to determine if it
> is properly configured on their end."
> What is the 'issue'?
> "Thank you for your reply. This issue has been reviewed by our
> Administrators and Advanced Technical Support. They have reviewed the
> records for that are being pulled up for the nameserver
> NS2.SDSITEHOSTING.NET and have found that there is a issue with the
> nameserver itself. If you created the nameserver yourself, you will need
> to review the configuration that you have created for the nameserver."
> What is the issue?
> "Thank you for your reply. Our system will not accept the format that
> you have in place. We will only accept nameservers with the standard
> IPv4 format and to appears you have the nameserver NS2.SDSITEHOSTING.NET
> setup with IPv6."
> Flamethrower opened a little more.  Asked how any of these 'issues' has
> anything to do with them adding a record into the com. zone (a question
> which has never been responded to)
> "This requirements are something we have in place internally. We are not
> suggesting your nameservers are bad to use, but rather, the nameservers
> are not formatted to meet our system requirements. If our system picks
> up a IPv6 record, it will not work with our system. I do apologize for
> the inconvenience. "

Well GoDaddy should be able to perform whatever checks it is making
independent of transport layer.  You should complain to ICANN about
this as it is unreasonable to remove a IPv6 address for a nameserver
just to be able to add a DS record for a zone hosted by that
nameserver especially when GoDaddy is the registrar of record for
that nameserver.

> I block all traffic from 2607:F208::/32  You aren't getting any "IPv6
> records" now, so the problem is fixed, right?

Why do you think blocking traffic will help?
> "Thank you for your reply. I have reviewed your issue and show that the
> server name NS2.SITEHOSTING.NET is using
> 2600:3C01:0:0:F03C:91FF:FE96:BBEC . The IP address is what is causing
> the problem. You would need to remove this before continuing."
> Well, they've got me there... I am, in fact, using that IPv6 address,
> and unless I want to go back to IPv4 and nothing else, that's probably a
> pretty good excuse for them to just stop right there!
> So... what is it?  Is GoDaddy really so antiquated that the fact that
> one of their customers is using IPv6 actually breaks them?  Is it just
> that their "Advanced Technical Support" staff isn't very advanced, very
> technical, or very good at support?  Or have we slid into an alternate
> universe where this is all my fault, and I should abandon IPv6 because
> it just doesn't work with DNSSEC?

IPv6 and DNSSEC work fine together.

If you are getting bad service from a registrar complain to them
and if that doesn't work do as Donald Trump does and say "You'r
Fired".  In addition ask for you payments back as they are failing
to provide the service you paid for.

> Venting aside, does anyone have a contact at GoDaddy that doesn't suffer
> from a terminal case of rectal-cranial invesrion?  I'm mainly
> experimenting with DNSSEC, and don't want to move all of my domains over
> this one issue.  But then, if this is the level of technical support I
> can expect, maybe I should bite the bullet and go.

Market forces can't work if you don't tell them why you are moving
and then do it.

> -- 
> * John Oliver                              http://www.john-oliver.net/ *
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this lis
> t
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list