[dns-operations] DNSSEC problem at one.com

Patrik Wallström pawal at blipp.com
Mon Apr 29 14:26:12 UTC 2013


On Apr 29, 2013, at 3:58 PM, bert hubert wrote:

> On Mon, Apr 29, 2013 at 03:31:18PM +0200, Patrik Wallström wrote:
>> Most problems still comes from PowerDNS. They do PowerDNS with signing on
>> all of their name servers.  We have previously seen problems with PowerDNS
>> in combination with BIND resolvers, since PowerDNS with DNSSEC sometimes
>> takes a long time to answer due to signing.  This causes EDNS0
>> blacklisting in BIND.  I am not sure that this is the issue this time. 
> 
> Hi Patrik,
> 
> Half of your analysis matches our experiences. The real issue is not that
> the signing is slow, but that we mess up some answers which BIND interprets
> as a timeout (correctly so), and then does the EDNS blacklisting (which is
> more difficult).
> 
> This issue has been investigated since late 2012, but it has only recently
> become clear which queries are causing the problems.
> 
> Note that even with a patched PowerDNS, intermittent timeouts will cause
> such problems.  Brief network interruptions might have prolonged effects
> this way.

Thanks for the clarification Bert.

Since the registry is only an administrative middleman between the name servers of the signed domains and the resolver operators, we do not see the traffic or have any other insight in the authoritative name servers and the resolvers. This makes it hard for us to make any proper evaluation of the cause of any of these kind of errors.

So thank you for your effort in debugging these problems.




More information about the dns-operations mailing list