Somehow I could not resolve
security.debian.org any more. And it took quite a while to return NXDOMAIN. Was my OS to blame? My router even? Other hostnames were resolving just fine. Was it Debian's fault?
After some fiddling to rule out PEBKAC I noticed that my router has been equipped with new DNS servers:
And indeed, both servers just wont resolve these hostnames anymore:
$ nslookup bugs.debian.org 126.96.36.199 Server: 188.8.131.52 Address: 184.108.40.206#53 ** server can't find bugs.debian.org: NXDOMAIN $ nslookup bugs.debian.org 220.127.116.11 ;; connection timed out; no servers could be reachedThis does not seem to be a new problem though; Comcast's DNSSEC tests were running all year long. But now they seem to roll out their new DNS servers to the endusers. And all would be cool, except:
Q: What happens if I try to access a website that fails DNSSEC validation? A: The DNS will will send a "SERVFAIL" response to your computer.Whooha. I'd rate this as a serious change - without any announcement to their customers? So now I'm off to their legacy DNS servers. The good news is, they will phase out their brain-damaged Comcast Domain Helper feature for now.
Btw, don't bother with OpenDNS, it's even more insane than "Domain Helper":
$ nslookup 18.104.22.1681 22.214.171.124 Server: 126.96.36.199 Address: 188.8.131.52#53 Non-authoritative answer: Name: 184.108.40.2061 Address: 220.127.116.11
Update: Apparently someone filed a bug for this one - but it was closed and forwarded to debian-admin. So now it really seems that
debian.orgis missing the DS records. Deploying DNSSEC to the
debian.orghas been announced earlier this year, but it does not seem to be finished yet.
This still does not explain why fcc.gov cannot be resolved:
$ dig @18.104.22.168 fcc.gov ; <<>> DiG 9.6-ESV-R1 <<>> @22.214.171.124 fcc.gov ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached $ dig @126.96.36.199 fcc.gov ; <<>> DiG 9.6-ESV-R1 <<>> @188.8.131.52 fcc.gov ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reachedUpdate: Comcast got back to me with non-DNSSEC opt-out servers (that is, with "Domain Helper" disabled):
Standard (Opt-Out) DNS Servers: Primary: 184.108.40.206 Secondary: 220.127.116.11However, the issue persists: the new DNSSEC servers cannot resolve certain hostnames :-\