05-17-2022 02:03 PM
My organization uses the MS-ISAC MDBR public DNS resolver service. I received reports that this service was unexpectedly blocking resolution of updates.paloaltonetworks.com. I inquired and received the following explanation:
"The DNSSEC for that domain is broken. Since that means the records couldn’t be confirmed to be legitimate, the MDBR service was blocking them for security. We had to institute a manual work around to allow our partners to regain access until the DNSSEC can be fixed."
I verified the problem in the DNSSEC chain using https://dnssec-analyzer.verisignlabs.com/updates.paloaltonetworks.com:
1. updates.paloaltonetworks.com is a CNAME to updates.gslb.paloaltonetworks.com
2. updates.gslb.paloaltonetworks.com is a CNAME to updates.gcp.gslb.paloaltonetworks.com
3. No DS records found for gslb.paloaltonetworks.com in the paloaltonetworks.com zone
4. No DNSKEY records found
This was preventing us from receiving PAN-OS Dynamic Updates and Software Upgrades until MDBR instituted the temporary workaround. I submitted customer support case 02181213 on April 28th and have had two Technical Support Engineers ask me for remote sessions in my network to continue addressing the issue despite my explanation that it needs to be escalated to the team at Palo Alto responsible for managing the domain's public DNS records. Is anybody listening here that can save me further aggravation?
