DNSSEC broken for updates.paloaltonetworks.com

Showing results for 
Search instead for 
Did you mean: 

DNSSEC broken for updates.paloaltonetworks.com

L1 Bithead

My organization uses the MS-ISAC MDBR public DNS resolver service. I received reports that this service was unexpectedly blocking resolution of updates.paloaltonetworks.com. I inquired and received the following explanation:

"The DNSSEC for that domain is broken. Since that means the records couldn’t be confirmed to be legitimate, the MDBR service was blocking them for security. We had to institute a manual work around to allow our partners to regain access until the DNSSEC can be fixed."

I verified the problem in the DNSSEC chain using https://dnssec-analyzer.verisignlabs.com/updates.paloaltonetworks.com:
1. updates.paloaltonetworks.com is a CNAME to updates.gslb.paloaltonetworks.com
2. updates.gslb.paloaltonetworks.com is a CNAME to updates.gcp.gslb.paloaltonetworks.com
3. No DS records found for gslb.paloaltonetworks.com in the paloaltonetworks.com zone
4. No DNSKEY records found

This was preventing us from receiving PAN-OS Dynamic Updates and Software Upgrades until MDBR instituted the temporary workaround. I submitted customer support case 02181213 on April 28th and have had two Technical Support Engineers ask me for remote sessions in my network to continue addressing the issue despite my explanation that it needs to be escalated to the team at Palo Alto responsible for managing the domain's public DNS records. Is anybody listening here that can save me further aggravation?


Cyber Elite
Cyber Elite


Not with DNSSec, however the same thing happened to zoomgov.com a few weeks back. I do face the occasional cloud can be hit for whatever generic reason, but thats just cloud being cloud.



I'm not sure what you mean. Someone at Palo Alto is responsible for configuring DNSSEC for their domains and should fix this specific problem. It may not be trivial, but it's part of the responsible implementation of DNS. Broken DNSSEC is worse that no DNSSEC.


I'd honestly bypass support with this and push this through your account team instead. Your not likely to have a good time going through TAC to get this passed to the right internal teams since most of the front-line likely doesn't even understand what your asking.

While your SE might not know where to put a ticket like this, they could pass it along through their channels and hopefully get it to someone that does know what internal team handles PANs DNS records. 

L1 Bithead

I'm having the same issue with DNSSEC and support run around.  Using staticupdates.paloaltonetworks.com as an alternative.

I have been told this will automagically get fixed tomorrow night.  Please stand-by

I haven't seen any evidence of this being fixed yet. DNSSEC Analyzer - updates.paloaltonetworks.com (verisignlabs.com)

L0 Member

We are seeing the same thing, just FYI. I informed our SE and account manager.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!