Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-17-2022 02:03 PM
My organization uses the MS-ISAC MDBR public DNS resolver service. I received reports that this service was unexpectedly blocking resolution of updates.paloaltonetworks.com. I inquired and received the following explanation:
"The DNSSEC for that domain is broken. Since that means the records couldn’t be confirmed to be legitimate, the MDBR service was blocking them for security. We had to institute a manual work around to allow our partners to regain access until the DNSSEC can be fixed."
I verified the problem in the DNSSEC chain using https://dnssec-analyzer.verisignlabs.com/updates.paloaltonetworks.com:
1. updates.paloaltonetworks.com is a CNAME to updates.gslb.paloaltonetworks.com
2. updates.gslb.paloaltonetworks.com is a CNAME to updates.gcp.gslb.paloaltonetworks.com
3. No DS records found for gslb.paloaltonetworks.com in the paloaltonetworks.com zone
4. No DNSKEY records found
This was preventing us from receiving PAN-OS Dynamic Updates and Software Upgrades until MDBR instituted the temporary workaround. I submitted customer support case 02181213 on April 28th and have had two Technical Support Engineers ask me for remote sessions in my network to continue addressing the issue despite my explanation that it needs to be escalated to the team at Palo Alto responsible for managing the domain's public DNS records. Is anybody listening here that can save me further aggravation?
09-01-2022 07:39 AM
A few weeks ago, I was notified by support that this had been resolved. I verified the DNSSEC chain is correct and I worked with our DNS provider to test removing the DNSSEC bypass, and confirmed correct resolution of updates.paloaltonetworks.com.
05-17-2022 02:33 PM
Hello,
Not with DNSSec, however the same thing happened to zoomgov.com a few weeks back. I do face the occasional cloud can be hit for whatever generic reason, but thats just cloud being cloud.
Regards,
05-20-2022 05:14 AM
I'm not sure what you mean. Someone at Palo Alto is responsible for configuring DNSSEC for their domains and should fix this specific problem. It may not be trivial, but it's part of the responsible implementation of DNS. Broken DNSSEC is worse that no DNSSEC.
05-20-2022 07:49 PM
I'd honestly bypass support with this and push this through your account team instead. Your not likely to have a good time going through TAC to get this passed to the right internal teams since most of the front-line likely doesn't even understand what your asking.
While your SE might not know where to put a ticket like this, they could pass it along through their channels and hopefully get it to someone that does know what internal team handles PANs DNS records.
06-13-2022 08:51 AM
I'm having the same issue with DNSSEC and support run around. Using staticupdates.paloaltonetworks.com as an alternative.
06-15-2022 09:07 PM
I have been told this will automagically get fixed tomorrow night. Please stand-by
06-17-2022 12:33 PM
I haven't seen any evidence of this being fixed yet. DNSSEC Analyzer - updates.paloaltonetworks.com (verisignlabs.com)
06-21-2022 08:59 AM
We are seeing the same thing, just FYI. I informed our SE and account manager.
09-01-2022 07:39 AM
A few weeks ago, I was notified by support that this had been resolved. I verified the DNSSEC chain is correct and I worked with our DNS provider to test removing the DNSSEC bypass, and confirmed correct resolution of updates.paloaltonetworks.com.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
