[157919] in North American Network Operators' Group
Dns sometimes fails using Google DNS / automatic dnssec
daemon@ATHENA.MIT.EDU (MailPlus| David Hofstee)
Thu Nov 15 09:12:53 2012
From: MailPlus| David Hofstee <david@mailplus.nl>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 15 Nov 2012 15:12:23 +0100
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8=
en 8.8.4.4. They are not always provided. They cause problems for some of =
our customers in a weird way I cannot explain. For them these records do no=
t resolve but I cannot reproduce it.
So when I run dig command
dig @8.8.8.8 m1.mailplus.nl
it often provides the RRSIG record (but e.g. the TXT record will not be sig=
ned). I've heard that DNS may fall back to TCP and/or may be filtered by fi=
rewalls if UDP is over 512 bytes. However, the request is not that long, ab=
out 200 bytes if I interpret the answer correctly.
Can someone come up with a good explanation why a tiny percentage of our cu=
stomers cannot resolve (some of) our domains?
Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly=
asked. What is standard here?
Thanks,
David Hofstee
