[157921] in North American Network Operators' Group
Re: Dns sometimes fails using Google DNS / automatic dnssec
daemon@ATHENA.MIT.EDU (Yunhong Gu)
Thu Nov 15 09:47:19 2012
In-Reply-To: <78C35D6C1A82D243B830523B4193CF5F5E8D4C6D38@SBS1.blinker.local>
Date: Thu, 15 Nov 2012 09:47:02 -0500
From: Yunhong Gu <guu@google.com>
To: "MailPlus| David Hofstee" <david@mailplus.nl>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi, David
I work at Google Public DNS and will take a look at this issue. No
RRSIG should be returned unless the client set the DO bit to ask for
it.
Thanks
Yunhong
On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee
<david@mailplus.nl> wrote:
> Hi,
>
> We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8=
.8 en 8.8.4.4. They are not always provided. They cause problems for some o=
f our customers in a weird way I cannot explain. For them these records do =
not resolve but I cannot reproduce it.
>
> So when I run dig command
>
> dig @8.8.8.8 m1.mailplus.nl
>
> it often provides the RRSIG record (but e.g. the TXT record will not be s=
igned). I've heard that DNS may fall back to TCP and/or may be filtered by =
firewalls if UDP is over 512 bytes. However, the request is not that long, =
about 200 bytes if I interpret the answer correctly.
>
> Can someone come up with a good explanation why a tiny percentage of our =
customers cannot resolve (some of) our domains?
>
> Btw, our nameservers (transip.nl) only provide DNSSEC records if explicit=
ly asked. What is standard here?
>
>
> Thanks,
>
> David Hofstee
