GoDaddy contact?
Hello, I wonder if there is anyone from GoDaddy on this list. I am trying to debug a problem between Google Public DNS and some GoDaddy name servers. Please contact me directly at g...@google.com. Thanks, Yunhong
Re: GoDaddy contact?
Thanks very much for those contacted me off list. I have found the right person already. Yunhong On May 27, 2013 11:46 PM, "Yunhong Gu" wrote: > Hello, I wonder if there is anyone from GoDaddy on this list. I am trying > to debug a problem between Google Public DNS and some GoDaddy name servers. > Please contact me directly at g...@google.com. > > Thanks, > Yunhong >
Re: ipp.gov and Google DNS (8.8.8.8)
Google resolvers got no response (i.e. timeout) for ipp.gov/dnskey from its authoritative name servers. If there is anyone on this list who manages ipp.gov DNS servers, please take a look. Our resolver IPs can be found at https://developers.google.com/speed/public-dns/faq#locations. Thanks Yunhong (Google Public DNS) On Thu, May 30, 2013 at 12:03 PM, Casey Deccio wrote: > On Thu, May 30, 2013 at 8:17 AM, Stephane Bortzmeyer > wrote: > > On Thu, May 30, 2013 at 09:04:44AM -0600, > > Josh Galvez wrote > > a message of 135 lines which said: > > > >> DNSSEC seems to be validating properly. > > > > Since Google Public DNS returns SERVFAIL even with the +cd option > > (Checking Disabled), I suspect that it is not a DNSSEC issue at all. > > > > That's not my experience: > > $ dig +cd @8.8.8.8 ipp.gov | grep status: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16884 > $ dig @8.8.8.8 ipp.gov | grep status: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57555 > > The resolvers seem to be choking on the DNSKEY (with or without CD): > > $ dig +cd @8.8.8.8 ipp.gov dnskey | grep status: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19590 > > Casey > >
Re: ipp.gov and Google DNS (8.8.8.8)
On Thu, May 30, 2013 at 2:17 PM, Casey Deccio wrote: > On Thu, May 30, 2013 at 9:22 AM, Yunhong Gu wrote: > > Google resolvers got no response (i.e. timeout) for ipp.gov/dnskey from > its > > authoritative name servers. If there is anyone on this list who manages > > ipp.gov DNS servers, please take a look. Our resolver IPs can be found > at > > https://developers.google.com/speed/public-dns/faq#locations. > > > > > > I get a response for DNSKEY just fine*. However, the payload of the > response is 1279 bytes, and Google's resolvers set the maximum UDP > receive payload to 1232, which results in the truncated response. > Unfortunately, the ipp.gov servers don't respond over TCP, so the > resolvers aren't able to retrieve ipp.gov/DNSKEY. Thanks, I suspected this problem but tried to verify using a wrong buffer size by mistake. > > The problem here is that the ipp.gov servers aren't responding on > TCP/53. But of curiosity, why a max payload size of 1232 for the > Google resolvers? It seems like that would result in a lot more TCP > transactions (and overhead) for queries to signed zones. > There is still chance for fragmented UDP responses to get dropped nowadays, so we want response in single UDP packets or otherwise from TCP. Overhead should be insignificant due to the cache in resolvers. That being said, we are testing 4k max UDP buffer and may turn it on in the near future. > > Casey > > * Although, that's only if the DO bit is set; interestingly, if I > don't set the DO bit, the response times out. >
Re: Dns sometimes fails using Google DNS / automatic dnssec
Hi, David I work at Google Public DNS and will take a look at this issue. No RRSIG should be returned unless the client set the DO bit to ask for it. Thanks Yunhong On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee wrote: > Hi, > > We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 > en 8.8.4.4. They are not always provided. They cause problems for some of our > customers in a weird way I cannot explain. For them these records do not > resolve but I cannot reproduce it. > > So when I run dig command > > dig @8.8.8.8 m1.mailplus.nl > > it often provides the RRSIG record (but e.g. the TXT record will not be > signed). I've heard that DNS may fall back to TCP and/or may be filtered by > firewalls if UDP is over 512 bytes. However, the request is not that long, > about 200 bytes if I interpret the answer correctly. > > Can someone come up with a good explanation why a tiny percentage of our > customers cannot resolve (some of) our domains? > > Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly > asked. What is standard here? > > > Thanks, > > David Hofstee
Re: Dns sometimes fails using Google DNS / automatic dnssec
Hi, we have found the bug that caused this problem. It was introduced in a very recent release. The fix is on its way. Thanks very much for the report, Yunhong On Thu, Nov 15, 2012 at 12:26 PM, Jay Ford wrote: > It looks like if the server has the RRSIG RR, it returns it. For example, a > query with +dnssec will cause it to cache the RRSIG, after which it returns > it even if +dnssec not specified. > > > Jay Ford, Network Engineering Group, Information Technology Services > University of Iowa, Iowa City, IA 52242 > email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 > > > query without +dnssec before RRSIG is cached; RRSIG not returned > > > : dig @8.8.8.8 m1.mailplus.nl > > ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 m1.mailplus.nl > > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3665 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;m1.mailplus.nl.IN A > > ;; ANSWER SECTION: > m1.mailplus.nl. 2985IN A 46.31.50.16 > > ;; Query time: 15 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Thu Nov 15 11:22:02 2012 > ;; MSG SIZE rcvd: 48 > > > query with +dnssec; RRSIG is returned > > > : dig +dnssec +multi @8.8.8.8 m1.mailplus.nl > > ; <<>> DiG 9.8.1-P1 <<>> +dnssec +multi @8.8.8.8 m1.mailplus.nl > > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58877 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 512 > > ;; QUESTION SECTION: > ;m1.mailplus.nl.IN A > > ;; ANSWER SECTION: > m1.mailplus.nl. 2978 IN A 46.31.50.16 > m1.mailplus.nl. 2978 IN RRSIG A 7 3 3600 20130517082302 ( > > 20121115082302 3767 mailplus.nl. > > WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p > > QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0 > > bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa > 0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= ) > > ;; Query time: 16 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Thu Nov 15 11:22:10 2012 > ;; MSG SIZE rcvd: 230 > > > query without +dnssec after RRSIG is cached; RRSIG returned > > > : dig +multi @8.8.8.8 m1.mailplus.nl > > ; <<>> DiG 9.8.1-P1 <<>> +multi @8.8.8.8 m1.mailplus.nl > > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13524 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;m1.mailplus.nl.IN A > > ;; ANSWER SECTION: > m1.mailplus.nl. 2974 IN A 46.31.50.16 > m1.mailplus.nl. 2974 IN RRSIG A 7 3 3600 20130517082302 ( > > 20121115082302 3767 mailplus.nl. > > WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p > > QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0 > > bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa > 0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= ) > > ;; Query time: 17 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Thu Nov 15 11:22:13 2012 > ;; MSG SIZE rcvd: 219
Re: M$ no v6 or just me?
Thanks for the tests that show the NODATA is from the authoritative nameserver. To clarify, Google DNS does not filter either or any of these domains. Yunhong On Tue, Jul 14, 2015 at 8:05 PM, Yang Yu wrote: > On Wed, Jul 15, 2015 at 4:33 AM, Nicholas Warren > wrote: > > Surely Microsoft has IPv6 connectivity? Is there a problem with my dns, > or is Microsoft not available over v6? > > > > Thanks, > > Nich > > > > probably not Google DNS filtering > > > test point 1 > > $ dig e10088.dspb.akamaiedge.net @n0dspb.akamaiedge.net > > ; <<>> DiG 9.10.2-P2 <<>> e10088.dspb.akamaiedge.net @ > n0dspb.akamaiedge.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51914 > ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;e10088.dspb.akamaiedge.net.IN > > ;; AUTHORITY SECTION: > dspb.akamaiedge.net.1000IN SOA n0dspb.akamaiedge.net. > hostmaster.akamai.com. 1436917052 1000 1000 1000 1800 > > ;; Query time: 51 msec > ;; SERVER: 96.7.248.137#53(96.7.248.137) > ;; WHEN: Wed Jul 15 08:37:32 KST 2015 > ;; MSG SIZE rcvd: 119 > > > > test point 2 > > $ dig e10088.dspb.akamaiedge.net @n0dspb.akamaiedge.net > > ; <<>> DiG 9.8.1-P1 <<>> e10088.dspb.akamaiedge.net @ > n0dspb.akamaiedge.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27887 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;e10088.dspb.akamaiedge.net.IN > > ;; ANSWER SECTION: > e10088.dspb.akamaiedge.net. 20 IN 2600:1408:10:18f::2768 > e10088.dspb.akamaiedge.net. 20 IN 2600:1408:10:181::2768 > e10088.dspb.akamaiedge.net. 20 IN 2600:1408:10:188::2768 > > ;; Query time: 18 msec > ;; SERVER: 88.221.81.193#53(88.221.81.193) > ;; WHEN: Tue Jul 14 16:37:17 2015 > ;; MSG SIZE rcvd: 128 > > > I get different IPs for n0dspb.akamaiedge.net / n0dscb.akamaiedge.net > every time. > > So it depends on source IP of the query and which akamai DNS server is > answering? >
