RE: Dns sometimes fails using Google DNS / automatic dnssec

Thu, 15 Nov 2012 08:10:31 -0800 

root@e3:/home/services# dig @8.8.8.8 m1.mailplus.nl

; <<>> DiG 9.7.3 <<>> @8.8.8.8 m1.mailplus.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38880
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;m1.mailplus.nl.                        IN      A

;; ANSWER SECTION:
m1.mailplus.nl.         1867    IN      A       46.31.50.16
m1.mailplus.nl.         1867    IN      RRSIG   A 7 3 3600 20130517082302 
20121115082302 3767 mailplus.nl. 
WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1pQRo8YIcxzlSN 
tHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0bMKYKIDuK8Gtz47AVDJaU0eX 
0FR8F5qqw897ClGf5ISa0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWF ujs=

;; Query time: 5 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Nov 15 16:05:26 2012
;; MSG SIZE  rcvd: 219



-----------------------
David Hofstee

-----Oorspronkelijk bericht-----
Van: Yunhong Gu [mailto:g...@google.com] 
Verzonden: donderdag 15 november 2012 15:47
Aan: MailPlus| David Hofstee
CC: nanog@nanog.org
Onderwerp: Re: Dns sometimes fails using Google DNS / automatic dnssec

Hi, David

I work at Google Public DNS and will take a look at this issue. No
RRSIG should be returned unless the client set the DO bit to ask for
it.

Thanks
Yunhong

On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee
<da...@mailplus.nl> wrote:
> Hi,
>
> We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 
> en 8.8.4.4. They are not always provided. They cause problems for some of our 
> customers in a weird way I cannot explain. For them these records do not 
> resolve but I cannot reproduce it.
>
> So when I run dig command
>
> dig @8.8.8.8 m1.mailplus.nl
>
> it often provides the RRSIG record (but e.g. the TXT record will not be 
> signed). I've heard that DNS may fall back to TCP and/or may be filtered by 
> firewalls if UDP is over 512 bytes. However, the request is not that long, 
> about 200 bytes if I interpret the answer correctly.
>
> Can someone come up with a good explanation why a tiny percentage of our 
> customers cannot resolve (some of) our domains?
>
> Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly 
> asked. What is standard here?
>
>
> Thanks,
>
> David Hofstee

Reply via email to