Dns sometimes fails using Google DNS / automatic dnssec
Jay Ford
jay-ford at uiowa.edu
Thu Nov 15 17:26:24 UTC 2012
It looks like if the server has the RRSIG RR, it returns it. For example, a
query with +dnssec will cause it to cache the RRSIG, after which it returns
it even if +dnssec not specified.
________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
________________________________________
query without +dnssec before RRSIG is cached; RRSIG not returned
________________________________________
: dig @8.8.8.8 m1.mailplus.nl
; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 m1.mailplus.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3665
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;m1.mailplus.nl. IN A
;; ANSWER SECTION:
m1.mailplus.nl. 2985 IN A 46.31.50.16
;; Query time: 15 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Nov 15 11:22:02 2012
;; MSG SIZE rcvd: 48
________________________________________
query with +dnssec; RRSIG is returned
________________________________________
: dig +dnssec +multi @8.8.8.8 m1.mailplus.nl
; <<>> DiG 9.8.1-P1 <<>> +dnssec +multi @8.8.8.8 m1.mailplus.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58877
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;m1.mailplus.nl. IN A
;; ANSWER SECTION:
m1.mailplus.nl. 2978 IN A 46.31.50.16
m1.mailplus.nl. 2978 IN RRSIG A 7 3 3600 20130517082302 (
20121115082302 3767 mailplus.nl.
WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p
QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0
bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa
0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= )
;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Nov 15 11:22:10 2012
;; MSG SIZE rcvd: 230
________________________________________
query without +dnssec after RRSIG is cached; RRSIG returned
________________________________________
: dig +multi @8.8.8.8 m1.mailplus.nl
; <<>> DiG 9.8.1-P1 <<>> +multi @8.8.8.8 m1.mailplus.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13524
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;m1.mailplus.nl. IN A
;; ANSWER SECTION:
m1.mailplus.nl. 2974 IN A 46.31.50.16
m1.mailplus.nl. 2974 IN RRSIG A 7 3 3600 20130517082302 (
20121115082302 3767 mailplus.nl.
WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p
QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0
bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa
0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= )
;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Nov 15 11:22:13 2012
;; MSG SIZE rcvd: 219
More information about the NANOG
mailing list