I'm wondering if it's been fixed ... I flushed the DNS cache on the problem servers again later this morning and now it's staying good, even after TTL. We'll see if it stays that way.
Thanks, Frank -----Original Message----- From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Mark Elkins Sent: Saturday, April 13, 2019 2:02 AM To: bind-users@lists.isc.org Subject: Re: Strange DNSsec failure [was incorrectly sent Thursday night] Works fine for me? - unless its been fixed in the meantime. This is stock standard bind. Nothing funny at all on both the query machine and the DNSSEC aware resolver. Both run the same version of BIND. $ dig mx1.comcast.net ; <<>> DiG 9.12.3-P4 <<>> mx1.comcast.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12395 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 02a3b8dbc350ae44457cdec05cb1874ac246b4103d9a2461 (good) ;; QUESTION SECTION: ;mx1.comcast.net. IN A ;; ANSWER SECTION: mx1.comcast.net. 300 IN A 96.114.157.80 ;; Query time: 244 msec ;; SERVER: 192.96.24.72#53(192.96.24.72) ;; WHEN: Sat Apr 13 08:52:58 SAST 2019 ;; MSG SIZE rcvd: 88 You can see from the query time this was a fresh lookup and not cached. On 2019/04/13 04:59, frnk...@iname.com wrote: > I've had DNSsec validation on our non-public resolvers for a year or two -- > virtually no issues ... until Thursday. First hint was that I couldn't get > the AAAA for dns.comcast.net. Later in the day our monitoring system > alerted me to email in our outbound queue that could not deliver to > comcast.net. > > If I perform a dig with DNSsec validation turned off then I can resolve > Comcast's FQDNs. Here are their two MX records: > > mail1:~# dig +cd mx1.comcast.net @127.0.0.1 +short > 96.114.157.80 > mail1:~# dig +cd mx2.comcast.net @127.0.0.1 +short > 68.87.20.5 > mail1:~# dig mx1.comcast.net @127.0.0.1 | grep status > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21243 > mail1:~# dig mx2.comcast.net @127.0.0.1 | grep status > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18695 > mail1:~# > > Not sure why five of our DNSSec-validating DNS servers are choking on > comcast.net domains. If I flush the cache or restart the server it works > until the resource record counts down to zero, after which I get a SERVFAIL. > > Problem ones: BIND 9.8.4-rpz2+rl005.12-P1 (on Debian, Debian package). > Working one: BIND 9.11.0-P2 <id:9713922> > > Any ideas? > > None of the public resolvers I regularly test against (Google, OpenDNS, > Quaad9) are having any issues with the Comcast FQDNs that I tested. > > None of the other signed zones that our monitoring system uses > (www.dnssec-or-not.net, dnssec-name-and-shame.com, www.opendnssec.org) have > an issue. > > Frank > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
