[dns-operations] Comcast DNSSEC resolver testbed: many failures
Mark Andrews
marka at isc.org
Mon Dec 21 00:18:11 UTC 2009
In message <87ljgxe46u.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> Simple queries such as the following one appear to fail:
>
> ; <<>> DiG 9.6.1-P2 <<>> @68.87.64.154 www.isc.org +dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39131
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4000
> ;; QUESTION SECTION:
> ;www.isc.org. IN A
>
> ;; Query time: 1268 msec
> ;; SERVER: 68.87.64.154#53(68.87.64.154)
> ;; WHEN: Sun Dec 20 22:10:21 2009
> ;; MSG SIZE rcvd: 40
>
> IP address is taken from <http://www.dnssec.comcast.net/>; it's the
> Nominum Vantion instance. The Unbound instance appears to be
> similarly affected. The BIND instance seems to work.
"@68.87.64.154 www.isc.org +dnssec +cd" works and looks good.
"@68.87.64.154 ds isc.org +dnssec" works and looks good (AD asserted).
"@68.87.64.154 dnskey isc.org +dnssec +cd" fails.
This implies it is not a DNSSEC validation failure.
I suspect a firewall dropping fragmented IP packets as the servers
are not returning minimal responses to DNSKEY queries. Yes, I have
recommended that the servers be upgraded to ones which do return
minimal responses.
Mark
> Could someone please take a look? Thanks.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list