[163231] in North American Network Operators' Group

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: ipp.gov and Google DNS (8.8.8.8)

daemon@ATHENA.MIT.EDU (Yunhong Gu)
Thu May 30 12:23:07 2013

In-Reply-To: <CAEKtLiTAyn786M3WU4yHVBtM-S3zztoKCTgsQyvzPPaCHjkASw@mail.gmail.com>
Date: Thu, 30 May 2013 12:22:36 -0400
From: Yunhong Gu <guu@google.com>
To: Casey Deccio <casey@deccio.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

Google resolvers got no response (i.e. timeout) for ipp.gov/dnskey from
its authoritative name servers. If there is anyone on this list who manages
ipp.gov DNS servers, please take a look. Our resolver IPs can be found at
https://developers.google.com/speed/public-dns/faq#locations.


Thanks
Yunhong (Google Public DNS)


On Thu, May 30, 2013 at 12:03 PM, Casey Deccio <casey@deccio.net> wrote:

> On Thu, May 30, 2013 at 8:17 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr>
> wrote:
> > On Thu, May 30, 2013 at 09:04:44AM -0600,
> >  Josh Galvez <josh@zevlag.com> wrote
> >  a message of 135 lines which said:
> >
> >> DNSSEC seems to be validating properly.
> >
> > Since Google Public DNS returns SERVFAIL even with the +cd option
> > (Checking Disabled), I suspect that it is not a DNSSEC issue at all.
> >
>
> That's not my experience:
>
> $ dig +cd @8.8.8.8 ipp.gov | grep status:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16884
> $ dig @8.8.8.8 ipp.gov | grep status:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57555
>
> The resolvers seem to be choking on the DNSKEY (with or without CD):
>
> $ dig +cd @8.8.8.8 ipp.gov dnskey | grep status:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19590
>
> Casey
>
>

home	help	back	first	fref	pref	prev	next	nref	lref	last	post