-2

here is my scenario: i have build an LB on GCP (https). Static reserved IP DNSSEC set to on DNS A and CNAME records 4 web servers sit behind the LB back end front end set for https when going via IP, the LB works and the site come up. when going via the DNS name, the site does NOT work in the US, however if i use VPN for another country, it works.

if you look here, you can see how DNS is propagated for some countries while not others: https://dnschecker.org/

if i use Google DNS Checker i get a DNSSEC errors: https://dns.google.com/

I tried using a self signed Cert as well as google managed cert, still same issue.

i even tried rebuilding the LB with a new EXT IP completely. Any ideas would be appreciated. Thank you

Md Zubayer
  • 367
  • 1
  • 7
Meir Miyara
  • 27
  • 7
  • Your problem is with your DNS server's DNSSEC settings. Edit you question and include the DNS settings. – John Hanley Nov 05 '18 at 15:32
  • Thank you @JohnHanley i added a pic of the DNS settings. – Meir Miyara Nov 05 '18 at 15:37
  • Include your DNSSEC settings. – John Hanley Nov 05 '18 at 15:54
  • @JohnHanley there is no option to do so with GCP. its either "On, Off or Transfer"... I cannot edit DNSSEC – Meir Miyara Nov 05 '18 at 15:58
  • @JohnHanley i think i MIGHT have located the issue, pending confirmation... you sparked the idea... i went to my Google Domains site, checked my domain and then added a new DNSSEC entry (keytag, Digest etc), the information i put there is the info i got from GCP Cloud DNS settings after clicking "Registrar Setup"... i am now waiting a few to see if this resolves the issue. ... – Meir Miyara Nov 05 '18 at 16:06
  • Confirmed fixed.... Thank you @JohnHanley for pointing me to the right direction !!!! i will edit my question to remove some private info, and leave this question for others to see.... – Meir Miyara Nov 05 '18 at 16:07
  • It can take a bit of time for the new DNSSEC settings to propagate around the world. – John Hanley Nov 05 '18 at 16:44

1 Answers1

1

Upon further checking i realized that what i forgot to do is go to my Google Domains (or whatever you using for your domain management) and add the DNSSEC information there: (Digest, type, ID, etc).

The information to put there can be found if you go to your GCP project --> Cloud DNS --> click on the zone --> click on "Registrar Setup" on the top right.

Use the info there, to put it in your domain admin DNSSEC config.

Meir Miyara
  • 27
  • 7