<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Thanks for the confirmation that the problem was related to DNSSEC.</div><div><br></div><div>I didn't see your message until I got home from work; however, I did find the root of the problem late this afternoon. At each of our Internet egress and ingress points, we have Cisco ASA devices sitting in front of a pair of redundant firewalls. Each ASA is configured with the default DNS inspect policy that doesn't accept fragmented UDP packets.</div><div><br></div><br><div><div>On Jul 22, 2010, at 9:42 AM, Nicholas Wheeler wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hello,<br><br> From what I can see, <a href="http://radar.weather.gov">radar.weather.gov</a> is currently unsigned. There's a KSK, but I see no ZSKs, and cannot complete the chain of trust.<br><br> On the other hand, <a href="http://noaa.gov">noaa.gov</a> is a signed zone, and I can complete the chain of trust. It does not seem like the <a href="http://usadotgov.net">usadotgov.net</a> root name servers have a problem.<br><br> If you would like to test, this is the tool used by <a href="http://dotgov.gov">dotgov.gov</a>'s helpdesk to test DNSSEC. Unfortunately, it's not a very good website.<br><br><a href="http://www.dnssecreport.com/DNSSECReport/DNSKeyReport.aspx">http://www.dnssecreport.com/DNSSECReport/DNSKeyReport.aspx</a><br><br>Thanks,<br><br> -- Nicholas Wheeler<br><br>Merton Campbell Crockett wrote:<br><blockquote type="cite">Does anyone know if there have been problems with the USADOTGOV.NET <http://USADOTGOV.NET> root name servers today?<br></blockquote><blockquote type="cite">We've had people complaining about resolving RADAR.WEATHER.GOV <http://RADAR.WEATHER.GOV> and several systems in the NOAA.GOV <http://NOAA.GOV> domain. If you query for the NS resource records, you only receive the ANSWER section. The ADDITIONAL section with the addresses is missing.<br></blockquote><blockquote type="cite">--<br></blockquote><blockquote type="cite">Merton Campbell Crockett<br></blockquote><blockquote type="cite">m.c.crockett@roadrunner.com <mailto:m.c.crockett@roadrunner.com><br></blockquote></div></blockquote></div><br><div>
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: 'Helvetica Neue'; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; color: rgb(0, 0, 0); font-family: 'Helvetica Neue'; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; -webkit-text-decorations-in-effect: none; text-indent: 0px; -webkit-text-size-adjust: auto; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px; "><div>--</div><div>Merton Campbell Crockett</div><div><a href="mailto:m.c.crockett@roadrunner.com">m.c.crockett@roadrunner.com</a></div><div><br class="khtml-block-placeholder"></div><br class="Apple-interchange-newline"></span></div></span></span><br class="Apple-interchange-newline">
</div>
<br></body></html>