[dns-operations] Today's Broken dotgov: gsa.gov
cjc+dns-oarc at pumpky.net
cjc+dns-oarc at pumpky.net
Wed Mar 29 06:25:34 UTC 2023
Seeing something similar to another recent .gov thread. QNAME
minimization doesn't work with the gsa.gov servers. They're not
responding correctly to queries for non-existent names.
Haven't quite figured out the details of what the servers are doing. If
you query for a non-existent name with DNS cookies, you'll get a bad
cookie back. If you disable cookies, still doesn't work. What I've been
seeing is you get a truncated UDP response, and then when you try to
follow up with a TCP query, the TCP connection completes (not an issue
with TCP being blocked in a firewall), and I can send the query, but the
response never comes. I'd guess there's an MTU issue at the far end, but
don't really know if it's that simple.
The DNS servers are in the Amazon cloud. They may be anycasted? I think
I've seen some different behavior depending on the source network. The
two IPv6 addresses among the servers seem to not work at all, but there
are still plenty of reachable IPv4, so that shouldn't totally break
things.
Does anyone recognize the particular signature of this brokenness? The
name we were trying to get to that was generating the most user
complaints is issuance.usaccess.gsa.gov.
More information about the dns-operations
mailing list