[dns-operations] Strange behavior of google public resolver

Taras Heichenko tasic at hostmaster.ua
Thu Apr 18 10:13:35 UTC 2019

And one more note...

We made an experiment. We made some domain and sign it with the DSA-512/SHA1 algorithm.
But we placed this domain on our servers without any traffic limits. And we have got the same behavior from
google resolver. So looks like the google's resolver does not give answer for the DSA-512/SHA1 signed
domains. Moreover we have been getting the answers if we use in dig request +cdflag option.

> On Apr 18, 2019, at 12:46, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> On Thu, Apr 18, 2019 at 11:46:28AM +0300,
> Taras Heichenko <tasic at hostmaster.ua> wrote 
> a message of 75 lines which said:
>> And sometimes I get answer
> Testing with RIPE Atlas probes show that, indeed, all other resolvers
> manage to resolve the domain, but often fails (but not always):
> % blaeu-resolve -r 100 -q NS --displayvalidation -x rv.ua
> Nameserver
> [ERROR: SERVFAIL] : 85 occurrences 
> [ba1.ns.ua. ns5.dnsmadeeasy.com. ns6.dnsmadeeasy.com. ns7.dnsmadeeasy.com.] : 10 occurrences 
> [TIMEOUT] : 1 occurrences 
> Test #20841694 done at 2019-04-18T09:37:09Z
> I think you'll have to report it to Google. I see no serious problem
> in your domain.
> (Of course, it would be better to move away from DSA, but it shouldn't
> make a SERVFAIL, just a lack of validation.)

Best regards

Taras Heichenko
tasic at hostmaster.ua

More information about the dns-operations mailing list