[dns-operations] comcast.net DNSSEC validation issues

[Rob Foehl]

On Thu, 22 Jun 2017, Feldman, Mark wrote:

> Hi, Rob.  Feel free to provide me your additional details off-list.
> Funny thing is that we don't have a haughtington.comcast.net subdomain (or
> label), so you should get NXDOMAIN there.  DS queries go to the parent,
> which for comcast.net would be the .net name servers.  We haven't touched
> KSKs/DS records in quite some time.  It would be interesting to know if
> others are seeing this 1) at all, 2) with BIND, and 3) with any other
> validating resolver.

Mark,

Thanks for the reply -- I sent a bunch of information your way off-list.

The original query is obvious garbage, but I should have been more 
specific: the bad cache entry is for "com:\032haughtington.comcast.net/DS" 
without the first label, so the query to the authoritative servers for 
comcast.net was in fact looking for a DS in the parent.  Also, the replies 
the resolver is getting are NXDOMAINs, but BIND wasn't happy with the 
signatures on them for some reason and retried the query against all of 
the authoritative servers before returning a SERVFAIL (and causing trouble 
for all of comcast.net on 9.9).

So far this morning, I've had intermittent issues on a handful of the 
9.9 resolvers, but not all of them -- not sure which queries are 
responsible now, but the frequency has dropped off significantly.

-Rob