[outages] Comcast DNS
Warren Kumari
warren at kumari.net
Thu Jul 13 02:01:07 EDT 2017
On Jul 12, 2017 11:46 PM, "César de Tassis Filho via Outages" <
outages at outages.org> wrote:
Well, this domain has a broken DNSSEC setup: http://dnsviz.net/d/aer
hq.org/dnssec/
Every recursive DNS server that validates DNSSEC (except for Google Public
DNS, as stated here[1]) will not resolve this domain.
César
[1] https://developers.google.com/speed/public-dns/faq#gdns_
validation_failure
Actually, that page says:
"
If Google Public DNS cannot validate a response (due to misconfiguration,
missing or incorrect RRSIG records, etc.), it will return an error response
(SERVFAIL) instead. **However, if the impact is significant (e.g. a very
popular domain is failing validation), we may temporarily disable
validation on the zone until the problem is fixed.**" (Emphasis added)
This is through the use of RFC7646 (Negative Trust Anchors) - the use is very
seldom, manual, and only for very popular names.
(Apologies for formatting, etc - rushed, about to board a plane)
On Wed, Jul 12, 2017 at 6:37 PM, Tom Elliott via Outages <
outages at outages.org> wrote:
> Comcast subscribers around Wash D.C. are unable to resolve aerhq.org.
> Subscribers of other ISPs resolve site. Anyone else seeing something like
> this?
>
> Thanks,
>
> Tom Elliott
>
> _______________________________________________
> Outages mailing list
> Outages at outages.org
> https://puck.nether.net/mailman/listinfo/outages
>
_______________________________________________
Outages mailing list
Outages at outages.org
https://puck.nether.net/mailman/listinfo/outages
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/outages/attachments/20170713/143c7d79/attachment.htm>
More information about the Outages
mailing list