[dns-operations] comcast.net DNSSEC validation issues

Rob Foehl rwf at loonybin.net
Wed Jun 21 22:13:54 UTC 2017

For the last week or so, I've had a pair of resolvers that are repeatedly 
getting insecure or otherwise invalid responses from the authoritative 
servers for comcast.net, resulting in bad cache entries for comcast.net DS 
records (invalidating the whole tree) on BIND 9.9 and SERVFAILs for 
specific triggering queries on 9.10.

This was originally narrowed down to one query:

gmail.com:\032haughtington.comcast.net DS

Flushing the cache was sufficient as a temporary fix.  Today, I had a 
dozen resolvers across the US all do this, without similarly odd queries 
having been seen.  This persisted for several hours, regardless of cache 
flushes; any subsequent query for comcast.net would result in bad cache 
entries.  It mostly cleared up a few hours ago, but I've had a few 
recurrences since.

Would anyone from Comcast mind taking a look at this, if you're not 
already aware?  I have packet captures of offending traffic and plenty of 
logs, happy to share whatever you need to see.



More information about the dns-operations mailing list