[157924] in North American Network Operators' Group
RE: Dns sometimes fails using Google DNS / automatic dnssec
daemon@ATHENA.MIT.EDU (MailPlus| David Hofstee)
Thu Nov 15 11:09:59 2012
From: MailPlus| David Hofstee <david@mailplus.nl>
To: Yunhong Gu <guu@google.com>
Date: Thu, 15 Nov 2012 16:06:11 +0100
In-Reply-To: <CAGmQtQLvuec6wHm-NOoiOrqy0H-nyf7V1ca2u_z_JeYtHDDAjg@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
root@e3:/home/services# dig @8.8.8.8 m1.mailplus.nl
; <<>> DiG 9.7.3 <<>> @8.8.8.8 m1.mailplus.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38880
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;m1.mailplus.nl. IN A
;; ANSWER SECTION:
m1.mailplus.nl. 1867 IN A 46.31.50.16
m1.mailplus.nl. 1867 IN RRSIG A 7 3 3600 20130517082302 20121115082302 376=
7 mailplus.nl. WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1pQRo8YIcxzlSN tHv=
2LnKUk+0n6iIXqV77sHynHHP/Y/a0bMKYKIDuK8Gtz47AVDJaU0eX 0FR8F5qqw897ClGf5ISa0=
njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWF ujs=3D
;; Query time: 5 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Nov 15 16:05:26 2012
;; MSG SIZE rcvd: 219
-----------------------
David Hofstee
-----Oorspronkelijk bericht-----
Van: Yunhong Gu [mailto:guu@google.com]=20
Verzonden: donderdag 15 november 2012 15:47
Aan: MailPlus| David Hofstee
CC: nanog@nanog.org
Onderwerp: Re: Dns sometimes fails using Google DNS / automatic dnssec
Hi, David
I work at Google Public DNS and will take a look at this issue. No
RRSIG should be returned unless the client set the DO bit to ask for
it.
Thanks
Yunhong
On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee
<david@mailplus.nl> wrote:
> Hi,
>
> We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8=
.8 en 8.8.4.4. They are not always provided. They cause problems for some o=
f our customers in a weird way I cannot explain. For them these records do =
not resolve but I cannot reproduce it.
>
> So when I run dig command
>
> dig @8.8.8.8 m1.mailplus.nl
>
> it often provides the RRSIG record (but e.g. the TXT record will not be s=
igned). I've heard that DNS may fall back to TCP and/or may be filtered by =
firewalls if UDP is over 512 bytes. However, the request is not that long, =
about 200 bytes if I interpret the answer correctly.
>
> Can someone come up with a good explanation why a tiny percentage of our =
customers cannot resolve (some of) our domains?
>
> Btw, our nameservers (transip.nl) only provide DNSSEC records if explicit=
ly asked. What is standard here?
>
>
> Thanks,
>
> David Hofstee
