[127251] in North American Network Operators' Group
Re: DNSsec from domailcontrol.com
daemon@ATHENA.MIT.EDU (Mark Andrews)
Fri Jun 18 08:34:43 2010
To: MKS <rekordmeister@gmail.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Fri, 18 Jun 2010 11:34:57 GMT."
<AANLkTimcXZhuaI9nzOUHRM5fYGb73xRvVU2fy4JOZPRY@mail.gmail.com>
Date: Fri, 18 Jun 2010 22:33:52 +1000
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <AANLkTimcXZhuaI9nzOUHRM5fYGb73xRvVU2fy4JOZPRY@mail.gmail.com>, MKS
writes:
> Hi
>
> We (a small ISP in the middle of nowhere) are having problems
> resolving DNSsec records from godaddy.
>
> This commands works just fine
> # dig @ns52.domaincontrol.com loomus.com
>
> but this doesn't
> # dig @ns52.domaincontrol.com +dnssec loomus.com
> We don't receive the reply to the query.
>
> and no, this isn't a packet size issue, the reply for the second
> command is 124bytes, and the host isn't behind a firewall.
>
> So the same commands work just fine outside our network, and we are
> only having problems with nsxx.domailcontrol.com
> As far as I can see, when enabling +dnssec the EDNS option is
> activated and this is added in the dns querty "OPT UDPsize=4096 OK"
>
> I have also tried
> # dig @ns52.domaincontrol.com +dnssec +bufsize=512 loomus.com
> without any success.
>
>
> Does someone have any brilliant suggestions?
> Please contact me on or off list
>
> Regards
> MKS
The server isn't even EDNS aware. I suspect your firewall doesn't
like a plain DNS response to a EDNS query.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
