[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Dns sometimes fails using Google DNS / automatic dnssec
- Subject: Dns sometimes fails using Google DNS / automatic dnssec
- From: guu at google.com (Yunhong Gu)
- Date: Thu, 15 Nov 2012 09:47:02 -0500
- In-reply-to: <[email protected]>
- References: <[email protected]>
I work at Google Public DNS and will take a look at this issue. No
RRSIG should be returned unless the client set the DO bit to ask for
On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee
<david at mailplus.nl> wrote:
> We've been seeing automatic RRSIG records on Google DNS lately, the 220.127.116.11 en 18.104.22.168. They are not always provided. They cause problems for some of our customers in a weird way I cannot explain. For them these records do not resolve but I cannot reproduce it.
> So when I run dig command
> dig @22.214.171.124 m1.mailplus.nl
> it often provides the RRSIG record (but e.g. the TXT record will not be signed). I've heard that DNS may fall back to TCP and/or may be filtered by firewalls if UDP is over 512 bytes. However, the request is not that long, about 200 bytes if I interpret the answer correctly.
> Can someone come up with a good explanation why a tiny percentage of our customers cannot resolve (some of) our domains?
> Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly asked. What is standard here?
> David Hofstee