[dns-operations] Dealing with the bizarre - grantee.fema.gov
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed Jul 8 19:22:42 UTC 2020
On Wed, Jul 08, 2020 at 09:15:02PM +0200,
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote
a message of 57 lines which said:
> No. My BIND and Unbound personal resolvers (which do not have a NTA)
> get a reply and set AD.
There are probably several different instances for each authoritative
server of grantee.fema.gov, and they behave differently. Here, seen by
the RIPE Atlas probes, you can se that some probes can get a DNSKEY
(when using the DO bit) and some cannot (timeout):
% blaeu-resolve -4 -r 100 --nameserver ns-dc2gtm1.dhs.gov. --type DNSKEY --dnssec grantee.fema.gov.
Nameserver ns-dc2gtm1.dhs.gov.
[TIMEOUT] : 37 occurrences
[256 3 10 aweaabvxfgryn7jl7igk3k7zpjbmvovaepmsbnn/lsugzqz6pjgz6y3/7geibgg3 ubrwa 256 3 10 aweaachfofxdoii8+/ljej5ctuursgky h3ydxjf6t/wurehzelr77yi0i8tmcpyibmo6a 257 3 10 aweaabronsypatfnhwvyn0ipda3l6hp5zwzc2i2mlxts85hvsdnhpghirwzjaio mob3e 257 3 10 aweaadfgkwupgfkp7qayvzzcrs5jza2d jlkzqkwrg90wxdvo5anbrxncoiw3kzv0 ugj+k] : 61 occurrences
[ERROR: SERVFAIL] : 2 occurrences
Test #26219900 done at 2020-07-08T19:19:20Z
Probably because they do to different instances of ns-dc2gtm1.dhs.gov.
More information about the dns-operations
mailing list