nanog mailing list archives

Re: Dns sometimes fails using Google DNS / automatic dnssec

From: Yunhong Gu <guu () google com>
Date: Thu, 15 Nov 2012 09:47:02 -0500

Hi, David

I work at Google Public DNS and will take a look at this issue. No
RRSIG should be returned unless the client set the DO bit to ask for
it.

Thanks
Yunhong

On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee
<david () mailplus nl> wrote:

Hi,

We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 en 8.8.4.4. They are not always provided. 
They cause problems for some of our customers in a weird way I cannot explain. For them these records do not resolve 
but I cannot reproduce it.

So when I run dig command

dig @8.8.8.8 m1.mailplus.nl

it often provides the RRSIG record (but e.g. the TXT record will not be signed). I've heard that DNS may fall back to 
TCP and/or may be filtered by firewalls if UDP is over 512 bytes. However, the request is not that long, about 200 
bytes if I interpret the answer correctly.

Can someone come up with a good explanation why a tiny percentage of our customers cannot resolve (some of) our 
domains?

Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly asked. What is standard here?


Thanks,

David Hofstee

Current thread:

Dns sometimes fails using Google DNS / automatic dnssec MailPlus| David Hofstee (Nov 15)
- Re: Dns sometimes fails using Google DNS / automatic dnssec Yunhong Gu (Nov 15)
  - RE: Dns sometimes fails using Google DNS / automatic dnssec MailPlus| David Hofstee (Nov 15)
    - RE: Dns sometimes fails using Google DNS / automatic dnssec Jay Ford (Nov 15)
    - Re: Dns sometimes fails using Google DNS / automatic dnssec Yunhong Gu (Nov 15)
    - RE: Dns sometimes fails using Google DNS / automatic dnssec MailPlus| David Hofstee (Nov 19)
    - RE: Dns sometimes fails using Google DNS / automatic dnssec Tony Finch (Nov 15)