[157928] in North American Network Operators' Group
RE: Dns sometimes fails using Google DNS / automatic dnssec
daemon@ATHENA.MIT.EDU (Tony Finch)
Thu Nov 15 12:38:56 2012
Date: Thu, 15 Nov 2012 17:38:24 +0000
From: Tony Finch <dot@dotat.at>
To: Jay Ford <jay-ford@uiowa.edu>
In-Reply-To: <alpine.DEB.2.02.1211151112010.25057@seatpost.its.uiowa.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Jay Ford <jay-ford@uiowa.edu> wrote:
> It looks like if the server has the RRSIG RR, it returns it. For example, a
> query with +dnssec will cause it to cache the RRSIG, after which it returns
> it even if +dnssec not specified.
It's weird. If you repeatedly query 8.8.4.4 without the DO bit, you get a
mixture of responses with and without an RRSIG and with varying TTLs. With
DO it appears to consistently return an RRSIG in the answer and the TTL
drops monotonically. 8.8.8.8 is similar except DO=0 replies don't include
RRSIGs. (Querying from JANET UK and hitting some servers a lethargic 12ms
away.)
while sleep 1; do dig +dnssec @8.8.4.4 m1.mailplus.nl; done
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
