Works fine for me? - unless its been fixed in the meantime. This is
stock standard bind. Nothing funny at all on both the query machine and
the DNSSEC aware resolver. Both run the same version of BIND.
$ dig mx1.comcast.net
; <<>> DiG 9.12.3-P4 <<>> mx1.comcast.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12395
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 02a3b8dbc350ae44457cdec05cb1874ac246b4103d9a2461 (good)
;; QUESTION SECTION:
;mx1.comcast.net. IN A
;; ANSWER SECTION:
mx1.comcast.net. 300 IN A 96.114.157.80
;; Query time: 244 msec
;; SERVER: 192.96.24.72#53(192.96.24.72)
;; WHEN: Sat Apr 13 08:52:58 SAST 2019
;; MSG SIZE rcvd: 88
You can see from the query time this was a fresh lookup and not cached.
On 2019/04/13 04:59, frnk...@iname.com wrote:
I've had DNSsec validation on our non-public resolvers for a year or two --
virtually no issues ... until Thursday. First hint was that I couldn't get
the AAAA for dns.comcast.net. Later in the day our monitoring system
alerted me to email in our outbound queue that could not deliver to
comcast.net.
If I perform a dig with DNSsec validation turned off then I can resolve
Comcast's FQDNs. Here are their two MX records:
mail1:~# dig +cd mx1.comcast.net @127.0.0.1 +short
96.114.157.80
mail1:~# dig +cd mx2.comcast.net @127.0.0.1 +short
68.87.20.5
mail1:~# dig mx1.comcast.net @127.0.0.1 | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21243
mail1:~# dig mx2.comcast.net @127.0.0.1 | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18695
mail1:~#
Not sure why five of our DNSSec-validating DNS servers are choking on
comcast.net domains. If I flush the cache or restart the server it works
until the resource record counts down to zero, after which I get a SERVFAIL.
Problem ones: BIND 9.8.4-rpz2+rl005.12-P1 (on Debian, Debian package).
Working one: BIND 9.11.0-P2 <id:9713922>
Any ideas?
None of the public resolvers I regularly test against (Google, OpenDNS,
Quaad9) are having any issues with the Comcast FQDNs that I tested.
None of the other signed zones that our monitoring system uses
(www.dnssec-or-not.net, dnssec-name-and-shame.com, www.opendnssec.org) have
an issue.
Frank
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark James ELKINS - Posix Systems - (South) Africa
m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
