Skip to main content

DNSSEC woes

Somehow I could not resolve bugs.debian.org or security.debian.org any more. And it took quite a while to return NXDOMAIN. Was my OS to blame? My router even? Other hostnames were resolving just fine. Was it Debian's fault?

After some fiddling to rule out PEBKAC I noticed that my router has been equipped with new DNS servers: 75.75.75.75 and 75.75.76.76.

And indeed, both servers just wont resolve these hostnames anymore:

$ nslookup bugs.debian.org 75.75.75.75
Server:         75.75.75.75
Address:        75.75.75.75#53

** server can't find bugs.debian.org: NXDOMAIN

$ nslookup bugs.debian.org 75.75.75.76
;; connection timed out; no servers could be reached
This does not seem to be a new problem though; Comcast's DNSSEC tests were running all year long. But now they seem to roll out their new DNS servers to the endusers. And all would be cool, except:
Q: What happens if I try to access a website that fails DNSSEC validation?
A: The DNS will will send a "SERVFAIL" response to your computer.
Whooha. I'd rate this as a serious change - without any announcement to their customers? So now I'm off to their legacy DNS servers. The good news is, they will phase out their brain-damaged Comcast Domain Helper feature for now.

Btw, don't bother with OpenDNS, it's even more insane than "Domain Helper":
$ nslookup 1.1.1.341 208.67.222.222
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
Name:   1.1.1.341
Address: 67.215.65.132


Update: Apparently someone filed a bug for this one - but it was closed and forwarded to debian-admin. So now it really seems that debian.org is missing the DS records. Deploying DNSSEC to the debian.org has been announced earlier this year, but it does not seem to be finished yet.

This still does not explain why fcc.gov cannot be resolved:
$ dig @75.75.75.75 fcc.gov
; <<>> DiG 9.6-ESV-R1 <<>> @75.75.75.75 fcc.gov
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig @75.75.76.76 fcc.gov
; <<>> DiG 9.6-ESV-R1 <<>> @75.75.76.76 fcc.gov
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Update: Comcast got back to me with non-DNSSEC opt-out servers (that is, with "Domain Helper" disabled):
  Standard (Opt-Out) DNS Servers:
  Primary:   68.87.69.146
  Secondary: 68.87.85.98
However, the issue persists: the new DNSSEC servers cannot resolve certain hostnames :-\