It looks like running with +trace results in a 15+ second timeout, whether it's to the local resolver or Google, whether I specify IPv4 or not.
mail1:~# dig mx1.comcast.net +trace @127.0.0.1 ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> mx1.comcast.net +trace @127.0.0.1 ;; global options: +cmd . 433139 IN NS a.root-servers.net. . 433139 IN NS h.root-servers.net. . 433139 IN NS f.root-servers.net. . 433139 IN NS g.root-servers.net. . 433139 IN NS e.root-servers.net. . 433139 IN NS c.root-servers.net. . 433139 IN NS j.root-servers.net. . 433139 IN NS k.root-servers.net. . 433139 IN NS b.root-servers.net. . 433139 IN NS m.root-servers.net. . 433139 IN NS d.root-servers.net. . 433139 IN NS l.root-servers.net. . 433139 IN NS i.root-servers.net. ;; Received 508 bytes from 127.0.0.1#53(127.0.0.1) in 5 ms net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. ;; Received 490 bytes from 192.33.4.12#53(192.33.4.12) in 19 ms comcast.net. 172800 IN NS dns101.comcast.net. comcast.net. 172800 IN NS dns102.comcast.net. comcast.net. 172800 IN NS dns103.comcast.net. comcast.net. 172800 IN NS dns104.comcast.net. comcast.net. 172800 IN NS dns105.comcast.net. ;; Received 358 bytes from 2001:500:d937::30#53(2001:500:d937::30) in 15255 ms mx1.comcast.net. 300 IN A 96.114.157.80 ;; Received 49 bytes from 68.87.85.132#53(68.87.85.132) in 32 ms mail1:~# mail1:~# dig -4 mx1.comcast.net +trace @127.0.0.1 ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -4 mx1.comcast.net +trace @127.0.0.1 ;; global options: +cmd . 433072 IN NS j.root-servers.net. . 433072 IN NS m.root-servers.net. . 433072 IN NS c.root-servers.net. . 433072 IN NS f.root-servers.net. . 433072 IN NS k.root-servers.net. . 433072 IN NS d.root-servers.net. . 433072 IN NS h.root-servers.net. . 433072 IN NS l.root-servers.net. . 433072 IN NS e.root-servers.net. . 433072 IN NS g.root-servers.net. . 433072 IN NS b.root-servers.net. . 433072 IN NS i.root-servers.net. . 433072 IN NS a.root-servers.net. ;; Received 508 bytes from 127.0.0.1#53(127.0.0.1) in 13 ms net. 172800 IN NS m.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. ;; Received 490 bytes from 192.33.4.12#53(192.33.4.12) in 17 ms comcast.net. 172800 IN NS dns101.comcast.net. comcast.net. 172800 IN NS dns102.comcast.net. comcast.net. 172800 IN NS dns103.comcast.net. comcast.net. 172800 IN NS dns104.comcast.net. comcast.net. 172800 IN NS dns105.comcast.net. ;; Received 358 bytes from 192.54.112.30#53(192.54.112.30) in 15264 ms mx1.comcast.net. 300 IN A 96.114.157.80 ;; Received 49 bytes from 68.87.85.132#53(68.87.85.132) in 41 ms mail1:~# mail1:~# dig mx1.comcast.net +trace @8.8.8.8 ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> mx1.comcast.net +trace @8.8.8.8 ;; global options: +cmd . 168863 IN NS m.root-servers.net. . 168863 IN NS b.root-servers.net. . 168863 IN NS c.root-servers.net. . 168863 IN NS d.root-servers.net. . 168863 IN NS e.root-servers.net. . 168863 IN NS f.root-servers.net. . 168863 IN NS g.root-servers.net. . 168863 IN NS h.root-servers.net. . 168863 IN NS a.root-servers.net. . 168863 IN NS i.root-servers.net. . 168863 IN NS j.root-servers.net. . 168863 IN NS k.root-servers.net. . 168863 IN NS l.root-servers.net. ;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 26 ms net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. ;; Received 490 bytes from 198.97.190.53#53(198.97.190.53) in 110 ms comcast.net. 172800 IN NS dns101.comcast.net. comcast.net. 172800 IN NS dns102.comcast.net. comcast.net. 172800 IN NS dns103.comcast.net. comcast.net. 172800 IN NS dns104.comcast.net. comcast.net. 172800 IN NS dns105.comcast.net. ;; Received 358 bytes from 2001:500:d937::30#53(2001:500:d937::30) in 15268 ms mx1.comcast.net. 300 IN A 96.114.157.80 ;; Received 49 bytes from 2001:558:100e:5:68:87:72:244#53(2001:558:100e:5:68:87:72:244) in 72 ms mail1:~# Frank -----Original Message----- From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of frnk...@iname.com Sent: Friday, April 12, 2019 11:39 PM To: bind-users@lists.isc.org Subject: RE: Strange DNSsec failure [was incorrectly sent Thursday night] And this forum post: https://forums.xfinity.com/t5/Email-Web-Browsing/Unable-to-resolve-comcast-n et-DNS/td-p/3213070 Frank -----Original Message----- From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of frnk...@iname.com Sent: Friday, April 12, 2019 10:08 PM To: bind-users@lists.isc.org Subject: RE: Strange DNSsec failure [was incorrectly sent Thursday night] Just saw this posted on twitter, too, from this morning: https://twitter.com/janger/status/1116738060199186432 Frank -----Original Message----- From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of frnk...@iname.com Sent: Friday, April 12, 2019 10:00 PM To: bind-users@lists.isc.org Subject: Strange DNSsec failure [was incorrectly sent Thursday night] I've had DNSsec validation on our non-public resolvers for a year or two -- virtually no issues ... until Thursday. First hint was that I couldn't get the AAAA for dns.comcast.net. Later in the day our monitoring system alerted me to email in our outbound queue that could not deliver to comcast.net. If I perform a dig with DNSsec validation turned off then I can resolve Comcast's FQDNs. Here are their two MX records: mail1:~# dig +cd mx1.comcast.net @127.0.0.1 +short 96.114.157.80 mail1:~# dig +cd mx2.comcast.net @127.0.0.1 +short 68.87.20.5 mail1:~# dig mx1.comcast.net @127.0.0.1 | grep status ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21243 mail1:~# dig mx2.comcast.net @127.0.0.1 | grep status ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18695 mail1:~# Not sure why five of our DNSSec-validating DNS servers are choking on comcast.net domains. If I flush the cache or restart the server it works until the resource record counts down to zero, after which I get a SERVFAIL. Problem ones: BIND 9.8.4-rpz2+rl005.12-P1 (on Debian, Debian package). Working one: BIND 9.11.0-P2 <id:9713922> Any ideas? None of the public resolvers I regularly test against (Google, OpenDNS, Quaad9) are having any issues with the Comcast FQDNs that I tested. None of the other signed zones that our monitoring system uses (www.dnssec-or-not.net, dnssec-name-and-shame.com, www.opendnssec.org) have an issue. Frank _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users