[dns-operations] comcast.net DNSSEC validation issues
Rob Foehl
rwf at loonybin.net
Wed Jun 21 22:13:54 UTC 2017
For the last week or so, I've had a pair of resolvers that are repeatedly
getting insecure or otherwise invalid responses from the authoritative
servers for comcast.net, resulting in bad cache entries for comcast.net DS
records (invalidating the whole tree) on BIND 9.9 and SERVFAILs for
specific triggering queries on 9.10.
This was originally narrowed down to one query:
gmail.com:\032haughtington.comcast.net DS
Flushing the cache was sufficient as a temporary fix. Today, I had a
dozen resolvers across the US all do this, without similarly odd queries
having been seen. This persisted for several hours, regardless of cache
flushes; any subsequent query for comcast.net would result in bad cache
entries. It mostly cleared up a few hours ago, but I've had a few
recurrences since.
Would anyone from Comcast mind taking a look at this, if you're not
already aware? I have packet captures of offending traffic and plenty of
logs, happy to share whatever you need to see.
Thanks,
-Rob
More information about the dns-operations
mailing list