webex.com DNS Contact - Possibly Broken DNSSEC?
Reuben Farrelly
reuben-nanog at reub.net
Tue May 9 13:33:29 UTC 2023
Does anyone know of a contact of someone (presumably at Webex/Cisco) who
can take a look at the DNS for webex.com?
It has been for some time now, logging a lot of DNSSEC warnings on my
resolver:
dnssec: validating
external-media75.public.wnrtm-a-2.prod.infra.webex.com/NSEC: no valid
signature found: 1 Time(s)
dnssec: validating
external-media75.public.wsinm-a-3.prod.infra.webex.com/NSEC: no valid
signature found: 1 Time(s)
dnssec: validating
external-media78.public.wbomm-a-2.prod.infra.webex.com/NSEC: no valid
signature found: 1 Time(s)
dnssec: validating
external-media8.public.wnrtm-a-2.prod.infra.webex.com/NSEC: no valid
signature found: 1 Time(s)
(and a whole lot more hostnames in the same domain). Some basic DNSSec
analysis indicates something in the middle of the trust chain is broken:
https://dnssec-analyzer.verisignlabs.com/external-media26.public.wjfkm-a-3.prod.infra.webex.com
It looks to me like the subdomains have DS records but the other parts
of the subdomain don't and I guess there's no point in having DS records
on host records, if the parent domain doesn't have them too.
I wouldn't bother if it was one or two entries, but it looks like the
whole domain is affected and this probably is a fairly widely utilised
domain.
Thanks,
Reuben
More information about the NANOG
mailing list