DNSSEC not set up correctly on Taiwanese websites

My DNS checks DNSSEC and does not resolve when it does not check out. I have run into multiple websites that have DNSSEC turned on, but the admins didn’t check (???) if it is working.

For example I can not visit
Taiwan Railways Administration,MOTC.
without disabling DNS security.

Analysis:
railway.gov.tw | DNSViz
www.railway.gov.tw | DNSViz
DNSSEC Analyzer - tip.railway.gov.tw
DNSSEC Analyzer - www.railway.gov.tw

tip.railway.gov.tw/A: The Authoritative Answer (AA) flag was not set in the response. (163.29.186.200, 163.29.186.201, 210.241.82.200, 210.241.82.201, 2001:4420:60ab:1fd::6, 2001:4420:60ab:1fd::7, 2001:4420:60ac:1fd::6, 2001:4420:60ac:1fd::7, UDP_-_EDNS0_4096_D_K)
tip.railway.gov.tw/AAAA: The Authoritative Answer (AA) flag was not set in the response. (163.29.186.200, 163.29.186.201, 210.241.82.200, 210.241.82.201, 2001:4420:60ab:1fd::6, 2001:4420:60ab:1fd::7, 2001:4420:60ac:1fd::6, 2001:4420:60ac:1fd::7, UDP_-_EDNS0_4096_D_K)

Can someone nudge the government website admins to fix DNSSEC…

2 Likes

Maybe something amiss with the TRA website today as I get an error message too. It usually works though and did for me a few days back.

Message was “DNS_PROBE_FINISHED_NXDOMAIN”

Not just today. But I don’t know since when they have that issue.

Kind of sucks because of this

Here is one of the small commercial websites:
https://www.heroinemake.com.tw
(they don’t make heroin :happy_frog:)

Analysis: www.heroinemake.com.tw | DNSViz

Alright, I got hold of Audrey Tang.

Thank you. I checked
https://tip.railway.gov.tw/
on mobile Firefox on my Android and it’s indeed broken — we’ll help expedite the fix.

6 Likes

Update! Railway Website has been fixed. :tada:
Many thanks to Audrey Tang


Found next problem

MOE
www.edu.tw | DNSViz


Should the Taiwanese government pay me bounty? :thinking:
/jk

7 Likes

Great work!

2 Likes

I decided to test various government websites.

Institution Website DNSSEC Status Notes
Taiwan Railways Administration (TRA) www.railway.gov.tw :white_check_mark: valid fixed 09.01.2023
Ministry of Transportation and Communications (MOTC) www.motc.gov.tw :heavy_minus_sign: not enabled
Ministry of Education (MOE) www.edu.tw :white_check_mark: valid fixed 11.01.2023
Ministry of Culture (MOC) www.moc.gov.tw :white_check_mark: valid
Ministry of Digital Affairs (MODA) www.moda.gov.tw :white_check_mark: valid
Ministry of Economic Affairs (MOEA) www.moea.gov.tw :heavy_minus_sign: not enabled :x: CNAME www-moea.cdn.hinet.net without DNSSEC
Ministry of Finance (MOF) www.mof.gov.tw :white_check_mark: valid :x: CNAME mof-fia.cdn.hinet.net without DNSSEC
Ministry of Foreign Affairs (MOFA) www.mofa.gov.tw :white_check_mark: valid :x: CNAME www-mofa.cdn.hinet.net without DNSSEC
Ministry of Health and Welfare (MOHW) www.mohw.gov.tw :white_check_mark: valid
Ministry of the Interior (MOI) www.moi.gov.tw :heavy_minus_sign: not enabled :x: CNAME www-moiweb.cdn.hinet.net without DNSSEC
Ministry of Justice (MOJ) www.moj.gov.tw :white_check_mark: valid
Ministry of Labor (MOL) www.mol.gov.tw :white_check_mark: valid :x: CNAME web-molwww.cdn.hinet.net without DNSSEC
Ministry of National Defense (MND) www.mnd.gov.tw :heavy_minus_sign: not enabled
Central Bank of the Republic of China (CBC) www.cbc.gov.tw :white_check_mark: valid :x: CNAME www-cbc.cdn.hinet.net without DNSSEC
Government of the Republic of China taiwan.gov.tw :heavy_minus_sign: not enabled
Office of the President www.president.gov.tw :heavy_minus_sign: not enabled :x: CNAME www-oop.cdn.hinet.net without DNSSEC
Executive Yuan www.ey.gov.tw :white_check_mark: valid :x: CNAME www-ey.cdn.hinet.net without DNSSEC

More to add later from here: Taiwan.gov.tw

1 Like

Ministry of Education websites are now working.

The ‘Revised Mandarin Chinese Dictionary’ I specifically mentioned has good DNSSEC

______________before ________________________________ after _______________
e1e558c76108c405f04e250fcd21cce4645ffe38_2_657x499 1673428091524


Now I hope they can kick some asses at hinet.net to enable DNSSEC, hosting government content.

2 Likes

The Domain Name System (DNS) is the distributed database used for converting domain names into Internet addresses. DNSSEC, or Domain Name System Security Extensions, is a feature to help prevent accessing impersonated or fraudulent bank websites, for example. DNSSEC has been available for 15 years and mandated by the US government for federal domains since 2008.

I requested from MOFA to consider mandating DNSSEC for all Taiwanese government website domains like in the USA.
And make some informational leaflet for them to send to financial institutions.

2 Likes

Is anyone else having issues with the WDA website?

https://ezworktaiwan.wda.gov.tw/en/

I’ve been noticing issues for the past 2 weeks when I’ve shared links to business owners/entrepreneurs looking to hire a foreigner / get a director work permit.

I rang the Ministry of Labor, Workforce Development Agency earlier and we checked the website together while on the phone and tada, it was working ok then, but now its back to having issues it seams for me. Any ideas?