Strange DNSsec failure [was incorrectly sent Thursday night]

frnkblk at iname.com frnkblk at iname.com
Sat Apr 13 17:09:06 UTC 2019 

I'm wondering if it's been fixed ... I flushed the DNS cache on the problem servers again later this morning and now it's staying good, even after TTL.  We'll see if it stays that way.

Thanks,

Frank 

-----Original Message-----
From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Mark Elkins
Sent: Saturday, April 13, 2019 2:02 AM
To: bind-users at lists.isc.org
Subject: Re: Strange DNSsec failure [was incorrectly sent Thursday night]

Works fine for me?     - unless its been fixed in  the meantime. This is 
stock standard bind. Nothing funny at all on both the query machine and 
the DNSSEC aware resolver. Both run the same version of BIND.

$ dig  mx1.comcast.net

; <<>> DiG 9.12.3-P4 <<>> mx1.comcast.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12395
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 02a3b8dbc350ae44457cdec05cb1874ac246b4103d9a2461 (good)
;; QUESTION SECTION:
;mx1.comcast.net.        IN    A

;; ANSWER SECTION:
mx1.comcast.net.    300    IN    A    96.114.157.80

;; Query time: 244 msec
;; SERVER: 192.96.24.72#53(192.96.24.72)
;; WHEN: Sat Apr 13 08:52:58 SAST 2019
;; MSG SIZE  rcvd: 88

You can see from the query time this was a fresh lookup and not cached.

On 2019/04/13 04:59, frnkblk at iname.com wrote:
> I've had DNSsec validation on our non-public resolvers for a year or two --
> virtually no issues ... until Thursday.  First hint was that I couldn't get
> the AAAA for dns.comcast.net.  Later in the day our monitoring system
> alerted me to email in our outbound queue that could not deliver to
> comcast.net.
>
> If I perform a dig with DNSsec validation turned off then I can resolve
> Comcast's FQDNs.  Here are their two MX records:
>
> mail1:~# dig +cd mx1.comcast.net @127.0.0.1 +short
> 96.114.157.80
> mail1:~# dig +cd mx2.comcast.net @127.0.0.1 +short
> 68.87.20.5
> mail1:~# dig  mx1.comcast.net @127.0.0.1 | grep status
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21243
> mail1:~# dig  mx2.comcast.net @127.0.0.1 | grep status
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18695
> mail1:~#
>
> Not sure why five of our DNSSec-validating DNS servers are choking on
> comcast.net domains.  If I flush the cache or restart the server it works
> until the resource record counts down to zero, after which I get a SERVFAIL.
>
> Problem ones: BIND 9.8.4-rpz2+rl005.12-P1 (on Debian, Debian package).
> Working one: BIND 9.11.0-P2 <id:9713922>
>
> Any ideas?
>
> None of the public resolvers I regularly test against (Google, OpenDNS,
> Quaad9) are having any issues with the Comcast FQDNs that I tested.
>
> None of the other signed zones that our monitoring system uses
> (www.dnssec-or-not.net, dnssec-name-and-shame.com, www.opendnssec.org) have
> an issue.
>
> Frank
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list