[162770] in North American Network Operators' Group
Re: Google Public DNS Problems?
daemon@ATHENA.MIT.EDU (Blair Trosper)
Wed May 1 12:38:40 2013
In-Reply-To: <DFAFD916-A221-409D-A2D8-4D905927C739@hopcount.ca>
Date: Wed, 1 May 2013 09:38:29 -0700
From: Blair Trosper <blair.trosper@gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
That's all well and good, but I certainly wouldn't expect "nslookup
gmail.com" or for "nslookup google.com" to return SERVFAIL
On Wed, May 1, 2013 at 9:34 AM, Joe Abley <jabley@hopcount.ca> wrote:
>
> On 2013-05-01, at 12:09, Blair Trosper <blair.trosper@gmail.com> wrote:
>
> > Is anyone else seeing this? From Santa Clara, CA, on Comcast
> > Business...I'm getting SERVFAIL for any query I throw at 8.8.8.8 and
> > 8.8.4.4...
> >
> > Level 3's own public resolvers are fine for me, as are OpenDNS's
> resolvers.
>
> Google just turned on validation across the whole of 8.8.8.8 and 8.8.4.4.
> The expected behaviour in the case where a response does not validate is to
> return SERVFAIL to the client.
>
> You could check that the queries you are sending are not suffering from
> poor signing hygiene (e.g. use the handy-dandy dnsviz.net visualisation).
>
> If this is a repeatable, consistent problem even for unsigned zones (or
> for zones that you've verified are signed correctly) and especially if it's
> widespread you might want to call google on the nanog courtesy phone and
> have them look for collateral damage from their recent foray into 8.8.8.8
> validation.
>
> Raw output from dig/drill and traceroutes to 8.8.8.8/8.8.4.4 are highly
> recommended if you need to take this further.
>
>
> Joe
