Strange DNSsec failure [was incorrectly sent Thursday night]
mje at posix.co.za
Sat Apr 13 07:02:20 UTC 2019
Works fine for me? - unless its been fixed in the meantime. This is
stock standard bind. Nothing funny at all on both the query machine and
the DNSSEC aware resolver. Both run the same version of BIND.
$ dig mx1.comcast.net
; <<>> DiG 9.12.3-P4 <<>> mx1.comcast.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12395
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 02a3b8dbc350ae44457cdec05cb1874ac246b4103d9a2461 (good)
;; QUESTION SECTION:
;mx1.comcast.net. IN A
;; ANSWER SECTION:
mx1.comcast.net. 300 IN A 22.214.171.124
;; Query time: 244 msec
;; SERVER: 126.96.36.199#53(188.8.131.52)
;; WHEN: Sat Apr 13 08:52:58 SAST 2019
;; MSG SIZE rcvd: 88
You can see from the query time this was a fresh lookup and not cached.
On 2019/04/13 04:59, frnkblk at iname.com wrote:
> I've had DNSsec validation on our non-public resolvers for a year or two --
> virtually no issues ... until Thursday. First hint was that I couldn't get
> the AAAA for dns.comcast.net. Later in the day our monitoring system
> alerted me to email in our outbound queue that could not deliver to
> If I perform a dig with DNSsec validation turned off then I can resolve
> Comcast's FQDNs. Here are their two MX records:
> mail1:~# dig +cd mx1.comcast.net @127.0.0.1 +short
> mail1:~# dig +cd mx2.comcast.net @127.0.0.1 +short
> mail1:~# dig mx1.comcast.net @127.0.0.1 | grep status
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21243
> mail1:~# dig mx2.comcast.net @127.0.0.1 | grep status
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18695
> Not sure why five of our DNSSec-validating DNS servers are choking on
> comcast.net domains. If I flush the cache or restart the server it works
> until the resource record counts down to zero, after which I get a SERVFAIL.
> Problem ones: BIND 9.8.4-rpz2+rl005.12-P1 (on Debian, Debian package).
> Working one: BIND 9.11.0-P2 <id:9713922>
> Any ideas?
> None of the public resolvers I regularly test against (Google, OpenDNS,
> Quaad9) are having any issues with the Comcast FQDNs that I tested.
> None of the other signed zones that our monitoring system uses
> (www.dnssec-or-not.net, dnssec-name-and-shame.com, www.opendnssec.org) have
> an issue.
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
More information about the bind-users