[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Dns sometimes fails using Google DNS / automatic dnssec

Subject: Dns sometimes fails using Google DNS / automatic dnssec
From: david at mailplus.nl (MailPlus| David Hofstee)
Date: Thu, 15 Nov 2012 15:12:23 +0100

Hi,

We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 en 8.8.4.4. They are not always provided. They cause problems for some of our customers in a weird way I cannot explain. For them these records do not resolve but I cannot reproduce it.

So when I run dig command

dig @8.8.8.8 m1.mailplus.nl

it often provides the RRSIG record (but e.g. the TXT record will not be signed). I've heard that DNS may fall back to TCP and/or may be filtered by firewalls if UDP is over 512 bytes. However, the request is not that long, about 200 bytes if I interpret the answer correctly.

Can someone come up with a good explanation why a tiny percentage of our customers cannot resolve (some of) our domains?

Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly asked. What is standard here?


Thanks,

David Hofstee

Follow-Ups:
- Dns sometimes fails using Google DNS / automatic dnssec
  - From: guu at google.com (Yunhong Gu)

Prev by Date: What is BCP re De-Aggregation: strict filtering /48s out of /32 RIR minimums.
Next by Date: Eaton 9130 UPS feedback
Previous by thread: APRICOT 2013 in Singapore
Next by thread: Dns sometimes fails using Google DNS / automatic dnssec
Index(es):
- Date
- Thread