DNSSEC woes
Somehow I could not resolve bugs.debian.org
or security.debian.org
any more. And it took quite a while to return NXDOMAIN. Was my OS to blame? My router even? Other hostnames were resolving just fine. Was it Debian's fault?
After some fiddling to rule out PEBKAC I noticed that my router has been equipped with new DNS servers: 75.75.75.75
and 75.75.76.76
.
And indeed, both servers just wont resolve these hostnames anymore:
$ nslookup bugs.debian.org 75.75.75.75 Server: 75.75.75.75 Address: 75.75.75.75#53 ** server can't find bugs.debian.org: NXDOMAIN $ nslookup bugs.debian.org 75.75.75.76 ;; connection timed out; no servers could be reachedThis does not seem to be a new problem though; Comcast's DNSSEC tests were running all year long. But now they seem to roll out their new DNS servers to the endusers. And all would be cool, except:
Q: What happens if I try to access a website that fails DNSSEC validation? A: The DNS will will send a "SERVFAIL" response to your computer.Whooha. I'd rate this as a serious change - without any announcement to their customers? So now I'm off to their legacy DNS servers. The good news is, they will phase out their brain-damaged Comcast Domain Helper feature for now.
Btw, don't bother with OpenDNS, it's even more insane than "Domain Helper":
$ nslookup 1.1.1.341 208.67.222.222 Server: 208.67.222.222 Address: 208.67.222.222#53 Non-authoritative answer: Name: 1.1.1.341 Address: 67.215.65.132
Update: Apparently someone filed a bug for this one - but it was closed and forwarded to debian-admin. So now it really seems that
debian.org
is missing the DS records. Deploying DNSSEC to the debian.org
has been announced earlier this year, but it does not seem to be finished yet.This still does not explain why fcc.gov cannot be resolved:
$ dig @75.75.75.75 fcc.gov ; <<>> DiG 9.6-ESV-R1 <<>> @75.75.75.75 fcc.gov ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached $ dig @75.75.76.76 fcc.gov ; <<>> DiG 9.6-ESV-R1 <<>> @75.75.76.76 fcc.gov ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reachedUpdate: Comcast got back to me with non-DNSSEC opt-out servers (that is, with "Domain Helper" disabled):
Standard (Opt-Out) DNS Servers: Primary: 68.87.69.146 Secondary: 68.87.85.98However, the issue persists: the new DNSSEC servers cannot resolve certain hostnames :-\