Thanks for the confirmation that the problem was related to DNSSEC. I didn't see your message until I got home from work; however, I did find the root of the problem late this afternoon. At each of our Internet egress and ingress points, we have Cisco ASA devices sitting in front of a pair of redundant firewalls. Each ASA is configured with the default DNS inspect policy that doesn't accept fragmented UDP packets.
On Jul 22, 2010, at 9:42 AM, Nicholas Wheeler wrote: > Hello, > > From what I can see, radar.weather.gov is currently unsigned. There's a > KSK, but I see no ZSKs, and cannot complete the chain of trust. > > On the other hand, noaa.gov is a signed zone, and I can complete the chain > of trust. It does not seem like the usadotgov.net root name servers have a > problem. > > If you would like to test, this is the tool used by dotgov.gov's helpdesk > to test DNSSEC. Unfortunately, it's not a very good website. > > http://www.dnssecreport.com/DNSSECReport/DNSKeyReport.aspx > > Thanks, > > -- Nicholas Wheeler > > Merton Campbell Crockett wrote: >> Does anyone know if there have been problems with the USADOTGOV.NET >> <http://USADOTGOV.NET> root name servers today? >> We've had people complaining about resolving RADAR.WEATHER.GOV >> <http://RADAR.WEATHER.GOV> and several systems in the NOAA.GOV >> <http://NOAA.GOV> domain. If you query for the NS resource records, you >> only receive the ANSWER section. The ADDITIONAL section with the addresses >> is missing. >> -- >> Merton Campbell Crockett >> m.c.crock...@roadrunner.com <mailto:m.c.crock...@roadrunner.com> -- Merton Campbell Crockett m.c.crock...@roadrunner.com
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
