Your IPs may have been rate limited... Andy
Andrew Fried andrew.fr...@gmail.com On 5/1/13 12:38 PM, Blair Trosper wrote: > That's all well and good, but I certainly wouldn't expect "nslookup > gmail.com" or for "nslookup google.com" to return SERVFAIL > > > On Wed, May 1, 2013 at 9:34 AM, Joe Abley <jab...@hopcount.ca> wrote: > >> >> On 2013-05-01, at 12:09, Blair Trosper <blair.tros...@gmail.com> wrote: >> >>> Is anyone else seeing this? From Santa Clara, CA, on Comcast >>> Business...I'm getting SERVFAIL for any query I throw at 8.8.8.8 and >>> 8.8.4.4... >>> >>> Level 3's own public resolvers are fine for me, as are OpenDNS's >> resolvers. >> >> Google just turned on validation across the whole of 8.8.8.8 and 8.8.4.4. >> The expected behaviour in the case where a response does not validate is to >> return SERVFAIL to the client. >> >> You could check that the queries you are sending are not suffering from >> poor signing hygiene (e.g. use the handy-dandy dnsviz.net visualisation). >> >> If this is a repeatable, consistent problem even for unsigned zones (or >> for zones that you've verified are signed correctly) and especially if it's >> widespread you might want to call google on the nanog courtesy phone and >> have them look for collateral damage from their recent foray into 8.8.8.8 >> validation. >> >> Raw output from dig/drill and traceroutes to 8.8.8.8/8.8.4.4 are highly >> recommended if you need to take this further. >> >> >> Joe