[dns-operations] comcast.net DNSSEC validation issues

[Feldman, Mark]

Hi, Rob.  Feel free to provide me your additional details off-list.
Funny thing is that we don't have a haughtington.comcast.net subdomain (or
label), so you should get NXDOMAIN there.  DS queries go to the parent,
which for comcast.net would be the .net name servers.  We haven't touched
KSKs/DS records in quite some time.  It would be interesting to know if
others are seeing this 1) at all, 2) with BIND, and 3) with any other
validating resolver.

  Mark
  Comcast Core INfrastructure Services -- we do DNS and more!


On 6/21/17, 6:13 PM, "dns-operations on behalf of Rob Foehl"
<dns-operations-bounces at dns-oarc.net on behalf of rwf at loonybin.net> wrote:

>For the last week or so, I've had a pair of resolvers that are repeatedly
>getting insecure or otherwise invalid responses from the authoritative
>servers for comcast.net, resulting in bad cache entries for comcast.net
>DS 
>records (invalidating the whole tree) on BIND 9.9 and SERVFAILs for
>specific triggering queries on 9.10.
>
>This was originally narrowed down to one query:
>
>gmail.com:\032haughtington.comcast.net DS
>
>Flushing the cache was sufficient as a temporary fix.  Today, I had a
>dozen resolvers across the US all do this, without similarly odd queries
>having been seen.  This persisted for several hours, regardless of cache
>flushes; any subsequent query for comcast.net would result in bad cache
>entries.  It mostly cleared up a few hours ago, but I've had a few
>recurrences since.
>
>Would anyone from Comcast mind taking a look at this, if you're not
>already aware?  I have packet captures of offending traffic and plenty of
>logs, happy to share whatever you need to see.
>
>Thanks,
>
>-Rob
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-operations mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>