[dns-operations] Today's Broken dotgov: gsa.gov

[cjc+dns-oarc at pumpky.net]

Seeing something similar to another recent .gov thread. QNAME 
minimization doesn't work with the gsa.gov servers. They're not 
responding correctly to queries for non-existent names.

Haven't quite figured out the details of what the servers are doing. If 
you query for a non-existent name with DNS cookies, you'll get a bad 
cookie back. If you disable cookies, still doesn't work. What I've been 
seeing is you get a truncated UDP response, and then when you try to 
follow up with a TCP query, the TCP connection completes (not an issue 
with TCP being blocked in a firewall), and I can send the query, but the 
response never comes. I'd guess there's an MTU issue at the far end, but 
don't really know if it's that simple.

The DNS servers are in the Amazon cloud. They may be anycasted? I think 
I've seen some different behavior depending on the source network. The 
two IPv6 addresses among the servers seem to not work at all, but there 
are still plenty of reachable IPv4, so that shouldn't totally break 
things.

Does anyone recognize the particular signature of this brokenness? The 
name we were trying to get to that was generating the most user 
complaints is issuance.usaccess.gsa.gov.