topic Re: DNSSEC broken for updates.paloaltonetworks.com in General Topics

DNSSEC broken for updates.paloaltonetworks.com

SSargent_ICTWA — Tue, 17 May 2022 21:03:48 GMT

My organization uses the MS-ISAC MDBR public DNS resolver service. I received reports that this service was unexpectedly blocking resolution of updates.paloaltonetworks.com. I inquired and received the following explanation:

"The DNSSEC for that domain is broken. Since that means the records couldn’t be confirmed to be legitimate, the MDBR service was blocking them for security. We had to institute a manual work around to allow our partners to regain access until the DNSSEC can be fixed."

I verified the problem in the DNSSEC chain using https://dnssec-analyzer.verisignlabs.com/updates.paloaltonetworks.com:
1. updates.paloaltonetworks.com is a CNAME to updates.gslb.paloaltonetworks.com
2. updates.gslb.paloaltonetworks.com is a CNAME to updates.gcp.gslb.paloaltonetworks.com
3. No DS records found for gslb.paloaltonetworks.com in the paloaltonetworks.com zone
4. No DNSKEY records found

This was preventing us from receiving PAN-OS Dynamic Updates and Software Upgrades until MDBR instituted the temporary workaround. I submitted customer support case 02181213 on April 28th and have had two Technical Support Engineers ask me for remote sessions in my network to continue addressing the issue despite my explanation that it needs to be escalated to the team at Palo Alto responsible for managing the domain's public DNS records. Is anybody listening here that can save me further aggravation?

Re: DNSSEC broken for updates.paloaltonetworks.com

OtakarKlier — Tue, 17 May 2022 21:33:38 GMT

Hello,

Not with DNSSec, however the same thing happened to zoomgov.com a few weeks back. I do face the occasional cloud can be hit for whatever generic reason, but thats just cloud being cloud.

Regards,

Re: DNSSEC broken for updates.paloaltonetworks.com

SSargent_ICTWA — Fri, 20 May 2022 12:14:18 GMT

I'm not sure what you mean. Someone at Palo Alto is responsible for configuring DNSSEC for their domains and should fix this specific problem. It may not be trivial, but it's part of the responsible implementation of DNS. Broken DNSSEC is worse that no DNSSEC.

Re: DNSSEC broken for updates.paloaltonetworks.com

BPry — Sat, 21 May 2022 02:49:52 GMT

@SSargent_ICTWA,

I'd honestly bypass support with this and push this through your account team instead. Your not likely to have a good time going through TAC to get this passed to the right internal teams since most of the front-line likely doesn't even understand what your asking.

While your SE might not know where to put a ticket like this, they could pass it along through their channels and hopefully get it to someone that does know what internal team handles PANs DNS records.

Re: DNSSEC broken for updates.paloaltonetworks.com

DonJarmon — Mon, 13 Jun 2022 15:51:17 GMT

I'm having the same issue with DNSSEC and support run around. Using staticupdates.paloaltonetworks.com as an alternative.

Re: DNSSEC broken for updates.paloaltonetworks.com

DonJarmon — Thu, 16 Jun 2022 04:07:37 GMT

I have been told this will automagically get fixed tomorrow night. Please stand-by

Re: DNSSEC broken for updates.paloaltonetworks.com

SSargent_ICTWA — Fri, 17 Jun 2022 19:33:06 GMT

I haven't seen any evidence of this being fixed yet. DNSSEC Analyzer - updates.paloaltonetworks.com (verisignlabs.com)

Re: DNSSEC broken for updates.paloaltonetworks.com

phite_cpso — Tue, 21 Jun 2022 15:59:47 GMT

We are seeing the same thing, just FYI. I informed our SE and account manager.

Re: DNSSEC broken for updates.paloaltonetworks.com

SSargent_ICTWA — Thu, 01 Sep 2022 14:39:39 GMT

A few weeks ago, I was notified by support that this had been resolved. I verified the DNSSEC chain is correct and I worked with our DNS provider to test removing the DNSSEC bypass, and confirmed correct resolution of updates.paloaltonetworks.com.