[dns-operations] Comcast DNSSEC resolver testbed: many failures
Griffiths, Chris
Chris_Griffiths at Cable.Comcast.com
Mon Dec 21 13:12:58 UTC 2009
We just recently wrapped up some upgrades to our production resolvers and
load balancer gear and these servers are next on the list to be updated and
we will take a look at the fragmentation issue at that time.
Thanks
--
Chris Griffiths
Comcast Cable Communications, Inc.
National Engineering and Technical Operations
On 12/20/09 7:18 PM, "Mark Andrews" <marka at isc.org> wrote:
>
> In message <87ljgxe46u.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
>> Simple queries such as the following one appear to fail:
>>
>> ; <<>> DiG 9.6.1-P2 <<>> @68.87.64.154 www.isc.org +dnssec
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39131
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4000
>> ;; QUESTION SECTION:
>> ;www.isc.org. IN A
>>
>> ;; Query time: 1268 msec
>> ;; SERVER: 68.87.64.154#53(68.87.64.154)
>> ;; WHEN: Sun Dec 20 22:10:21 2009
>> ;; MSG SIZE rcvd: 40
>>
>> IP address is taken from <http://www.dnssec.comcast.net/>; it's the
>> Nominum Vantion instance. The Unbound instance appears to be
>> similarly affected. The BIND instance seems to work.
>
> "@68.87.64.154 www.isc.org +dnssec +cd" works and looks good.
> "@68.87.64.154 ds isc.org +dnssec" works and looks good (AD asserted).
> "@68.87.64.154 dnskey isc.org +dnssec +cd" fails.
>
> This implies it is not a DNSSEC validation failure.
>
> I suspect a firewall dropping fragmented IP packets as the servers
> are not returning minimal responses to DNSKEY queries. Yes, I have
> recommended that the servers be upgraded to ones which do return
> minimal responses.
>
> Mark
>
>> Could someone please take a look? Thanks.
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list