Dns sometimes fails using Google DNS / automatic dnssec
Hi, We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 en 8.8.4.4. They are not always provided. They cause problems for some of our customers in a weird way I cannot explain. For them these records do not resolve but I cannot reproduce it. So when I run dig command dig @8.8.8.8 m1.mailplus.nl it often provides the RRSIG record (but e.g. the TXT record will not be signed). I've heard that DNS may fall back to TCP and/or may be filtered by firewalls if UDP is over 512 bytes. However, the request is not that long, about 200 bytes if I interpret the answer correctly. Can someone come up with a good explanation why a tiny percentage of our customers cannot resolve (some of) our domains? Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly asked. What is standard here? Thanks, David Hofstee
Hi, David I work at Google Public DNS and will take a look at this issue. No RRSIG should be returned unless the client set the DO bit to ask for it. Thanks Yunhong On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee <david@mailplus.nl> wrote:
Hi,
We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 en 8.8.4.4. They are not always provided. They cause problems for some of our customers in a weird way I cannot explain. For them these records do not resolve but I cannot reproduce it.
So when I run dig command
dig @8.8.8.8 m1.mailplus.nl
it often provides the RRSIG record (but e.g. the TXT record will not be signed). I've heard that DNS may fall back to TCP and/or may be filtered by firewalls if UDP is over 512 bytes. However, the request is not that long, about 200 bytes if I interpret the answer correctly.
Can someone come up with a good explanation why a tiny percentage of our customers cannot resolve (some of) our domains?
Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly asked. What is standard here?
Thanks,
David Hofstee
root@e3:/home/services# dig @8.8.8.8 m1.mailplus.nl ; <<>> DiG 9.7.3 <<>> @8.8.8.8 m1.mailplus.nl ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38880 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;m1.mailplus.nl. IN A ;; ANSWER SECTION: m1.mailplus.nl. 1867 IN A 46.31.50.16 m1.mailplus.nl. 1867 IN RRSIG A 7 3 3600 20130517082302 20121115082302 3767 mailplus.nl. WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1pQRo8YIcxzlSN tHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0bMKYKIDuK8Gtz47AVDJaU0eX 0FR8F5qqw897ClGf5ISa0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWF ujs= ;; Query time: 5 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Nov 15 16:05:26 2012 ;; MSG SIZE rcvd: 219 ----------------------- David Hofstee -----Oorspronkelijk bericht----- Van: Yunhong Gu [mailto:guu@google.com] Verzonden: donderdag 15 november 2012 15:47 Aan: MailPlus| David Hofstee CC: nanog@nanog.org Onderwerp: Re: Dns sometimes fails using Google DNS / automatic dnssec Hi, David I work at Google Public DNS and will take a look at this issue. No RRSIG should be returned unless the client set the DO bit to ask for it. Thanks Yunhong On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee <david@mailplus.nl> wrote:
Hi,
We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 en 8.8.4.4. They are not always provided. They cause problems for some of our customers in a weird way I cannot explain. For them these records do not resolve but I cannot reproduce it.
So when I run dig command
dig @8.8.8.8 m1.mailplus.nl
it often provides the RRSIG record (but e.g. the TXT record will not be signed). I've heard that DNS may fall back to TCP and/or may be filtered by firewalls if UDP is over 512 bytes. However, the request is not that long, about 200 bytes if I interpret the answer correctly.
Can someone come up with a good explanation why a tiny percentage of our customers cannot resolve (some of) our domains?
Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly asked. What is standard here?
Thanks,
David Hofstee
It looks like if the server has the RRSIG RR, it returns it. For example, a query with +dnssec will cause it to cache the RRSIG, after which it returns it even if +dnssec not specified. ________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951 ________________________________________ query without +dnssec before RRSIG is cached; RRSIG not returned ________________________________________ : dig @8.8.8.8 m1.mailplus.nl ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 m1.mailplus.nl ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3665 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;m1.mailplus.nl. IN A ;; ANSWER SECTION: m1.mailplus.nl. 2985 IN A 46.31.50.16 ;; Query time: 15 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Nov 15 11:22:02 2012 ;; MSG SIZE rcvd: 48 ________________________________________ query with +dnssec; RRSIG is returned ________________________________________ : dig +dnssec +multi @8.8.8.8 m1.mailplus.nl ; <<>> DiG 9.8.1-P1 <<>> +dnssec +multi @8.8.8.8 m1.mailplus.nl ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58877 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;m1.mailplus.nl. IN A ;; ANSWER SECTION: m1.mailplus.nl. 2978 IN A 46.31.50.16 m1.mailplus.nl. 2978 IN RRSIG A 7 3 3600 20130517082302 ( 20121115082302 3767 mailplus.nl. WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0 bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa 0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= ) ;; Query time: 16 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Nov 15 11:22:10 2012 ;; MSG SIZE rcvd: 230 ________________________________________ query without +dnssec after RRSIG is cached; RRSIG returned ________________________________________ : dig +multi @8.8.8.8 m1.mailplus.nl ; <<>> DiG 9.8.1-P1 <<>> +multi @8.8.8.8 m1.mailplus.nl ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13524 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;m1.mailplus.nl. IN A ;; ANSWER SECTION: m1.mailplus.nl. 2974 IN A 46.31.50.16 m1.mailplus.nl. 2974 IN RRSIG A 7 3 3600 20130517082302 ( 20121115082302 3767 mailplus.nl. WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0 bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa 0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= ) ;; Query time: 17 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Nov 15 11:22:13 2012 ;; MSG SIZE rcvd: 219
Hi, we have found the bug that caused this problem. It was introduced in a very recent release. The fix is on its way. Thanks very much for the report, Yunhong On Thu, Nov 15, 2012 at 12:26 PM, Jay Ford <jay-ford@uiowa.edu> wrote:
It looks like if the server has the RRSIG RR, it returns it. For example, a query with +dnssec will cause it to cache the RRSIG, after which it returns it even if +dnssec not specified.
________________________________________________________________________ Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-ford@uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
________________________________________ query without +dnssec before RRSIG is cached; RRSIG not returned ________________________________________
: dig @8.8.8.8 m1.mailplus.nl
; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 m1.mailplus.nl
; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3665
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;m1.mailplus.nl. IN A
;; ANSWER SECTION: m1.mailplus.nl. 2985 IN A 46.31.50.16
;; Query time: 15 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Nov 15 11:22:02 2012 ;; MSG SIZE rcvd: 48
________________________________________ query with +dnssec; RRSIG is returned ________________________________________
: dig +dnssec +multi @8.8.8.8 m1.mailplus.nl
; <<>> DiG 9.8.1-P1 <<>> +dnssec +multi @8.8.8.8 m1.mailplus.nl
; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58877 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION: ;m1.mailplus.nl. IN A
;; ANSWER SECTION: m1.mailplus.nl. 2978 IN A 46.31.50.16 m1.mailplus.nl. 2978 IN RRSIG A 7 3 3600 20130517082302 (
20121115082302 3767 mailplus.nl.
WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p
QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0
bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa 0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= )
;; Query time: 16 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Nov 15 11:22:10 2012 ;; MSG SIZE rcvd: 230
________________________________________ query without +dnssec after RRSIG is cached; RRSIG returned ________________________________________
: dig +multi @8.8.8.8 m1.mailplus.nl
; <<>> DiG 9.8.1-P1 <<>> +multi @8.8.8.8 m1.mailplus.nl
; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13524
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;m1.mailplus.nl. IN A
;; ANSWER SECTION: m1.mailplus.nl. 2974 IN A 46.31.50.16 m1.mailplus.nl. 2974 IN RRSIG A 7 3 3600 20130517082302 (
20121115082302 3767 mailplus.nl.
WzKY2FnTbF8MOhAuDvnrPkpgskeH4aI1YByh6zBX1z1p
QRo8YIcxzlSNtHv2LnKUk+0n6iIXqV77sHynHHP/Y/a0
bMKYKIDuK8Gtz47AVDJaU0eX0FR8F5qqw897ClGf5ISa 0njPLFVyF/NJ6hNViDYzOhhHGi58dhZmhKWFujs= )
;; Query time: 17 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Nov 15 11:22:13 2012 ;; MSG SIZE rcvd: 219
fixed... ----------------------- David Hofstee -----Oorspronkelijk bericht----- Van: Yunhong Gu [mailto:guu@google.com] Verzonden: donderdag 15 november 2012 18:29 Aan: Jay Ford CC: MailPlus| David Hofstee; nanog@nanog.org Onderwerp: Re: Dns sometimes fails using Google DNS / automatic dnssec Hi, we have found the bug that caused this problem. It was introduced in a very recent release. The fix is on its way. Thanks very much for the report, Yunhong On Thu, Nov 15, 2012 at 12:26 PM, Jay Ford <jay-ford@uiowa.edu> wrote:
It looks like if the server has the RRSIG RR, it returns it. For example, a query with +dnssec will cause it to cache the RRSIG, after which it returns it even if +dnssec not specified.
Jay Ford <jay-ford@uiowa.edu> wrote:
It looks like if the server has the RRSIG RR, it returns it. For example, a query with +dnssec will cause it to cache the RRSIG, after which it returns it even if +dnssec not specified.
It's weird. If you repeatedly query 8.8.4.4 without the DO bit, you get a mixture of responses with and without an RRSIG and with varying TTLs. With DO it appears to consistently return an RRSIG in the answer and the TTL drops monotonically. 8.8.8.8 is similar except DO=0 replies don't include RRSIGs. (Querying from JANET UK and hitting some servers a lethargic 12ms away.) while sleep 1; do dig +dnssec @8.8.4.4 m1.mailplus.nl; done Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.
participants (4)
-
Jay Ford -
MailPlus| David Hofstee -
Tony Finch -
Yunhong Gu