webex.com DNS Contact - Possibly Broken DNSSEC?

• Previous message (by thread): Spoofer Report for NANOG for Apr 2023
• Next message (by thread): webex.com DNS Contact - Possibly Broken DNSSEC?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Does anyone know of a contact of someone (presumably at Webex/Cisco) who 
can take a look at the DNS for webex.com?

It has been for some time now, logging a lot of DNSSEC warnings on my 
resolver:

dnssec: validating 
external-media75.public.wnrtm-a-2.prod.infra.webex.com/NSEC: no valid 
signature found: 1 Time(s)
dnssec: validating 
external-media75.public.wsinm-a-3.prod.infra.webex.com/NSEC: no valid 
signature found: 1 Time(s)
dnssec: validating 
external-media78.public.wbomm-a-2.prod.infra.webex.com/NSEC: no valid 
signature found: 1 Time(s)
dnssec: validating 
external-media8.public.wnrtm-a-2.prod.infra.webex.com/NSEC: no valid 
signature found: 1 Time(s)

(and a whole lot more hostnames in the same domain).  Some basic DNSSec 
analysis indicates something in the middle of the trust chain is broken:

https://dnssec-analyzer.verisignlabs.com/external-media26.public.wjfkm-a-3.prod.infra.webex.com

It looks to me like the subdomains have DS records but the other parts 
of the subdomain don't and I guess there's no point in having DS records 
on host records, if the parent domain doesn't have them too.

I wouldn't bother if it was one or two entries, but it looks like the 
whole domain is affected and this probably is a fairly widely utilised 
domain.

Thanks,
Reuben

• Previous message (by thread): Spoofer Report for NANOG for Apr 2023
• Next message (by thread): webex.com DNS Contact - Possibly Broken DNSSEC?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]