[163230] in North American Network Operators' Group
Re: ipp.gov and Google DNS (8.8.8.8)
daemon@ATHENA.MIT.EDU (Casey Deccio)
Thu May 30 12:03:56 2013
In-Reply-To: <20130530151729.GA29702@nic.fr>
Date: Thu, 30 May 2013 09:03:37 -0700
From: Casey Deccio <casey@deccio.net>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, May 30, 2013 at 8:17 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> On Thu, May 30, 2013 at 09:04:44AM -0600,
> Josh Galvez <josh@zevlag.com> wrote
> a message of 135 lines which said:
>
>> DNSSEC seems to be validating properly.
>
> Since Google Public DNS returns SERVFAIL even with the +cd option
> (Checking Disabled), I suspect that it is not a DNSSEC issue at all.
>
That's not my experience:
$ dig +cd @8.8.8.8 ipp.gov | grep status:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16884
$ dig @8.8.8.8 ipp.gov | grep status:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57555
The resolvers seem to be choking on the DNSKEY (with or without CD):
$ dig +cd @8.8.8.8 ipp.gov dnskey | grep status:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19590
Casey
