[dns-operations] DNS .com/.net resolution problems in the Asia/Pacific region

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jul 18 20:08:58 UTC 2023


On Tue, Jul 18, 2023 at 12:51:39PM -0700, Gavin McCullagh wrote:

> We definitely saw Unbound returning SERVFAIL for unsigned com domains
> though.

Failures for even for some "unsigned" domains were to be expected if
retries were either not happening or the retry count was at times
exceeded.

The reason is of course that validation of denial of existence of the DS
RRset was failing, due to expired NSEC3 RRSIGs.  So as far as the
resolver was concerned the domain wasn't "veriably" unsigned.

With 4 out of 13 problem servers:

    - 3 tries gives a 2.9% failure rate.
    - 4 tries gives a 0.9% failure rate.

-- 
    Viktor.


More information about the dns-operations mailing list