Somehow I could not resolve
security.debian.org any more. And it took quite a while to return NXDOMAIN. Was my OS to blame? My router even? Other hostnames were resolving just fine. Was it Debian's fault?
After some fiddling to rule out PEBKAC I noticed that my router has been equipped with new DNS servers:
And indeed, both servers just wont resolve these hostnames anymore:
$ nslookup bugs.debian.org 22.214.171.124 Server: 126.96.36.199 Address: 188.8.131.52#53 ** server can't find bugs.debian.org: NXDOMAIN $ nslookup bugs.debian.org 184.108.40.206 ;; connection timed out; no servers could be reachedThis does not seem to be a new problem though; Comcast's DNSSEC tests were running all year long. But now they seem to roll out their new DNS servers to the endusers. And all would be cool, except:
Q: What happens if I try to access a website that fails DNSSEC validation? A: The DNS will will send a "SERVFAIL" response to your computer.Whooha. I'd rate this as a serious change - without any announcement to their customers? So now I'm off to their legacy DNS servers. The good news is, they will phase out their brain-damaged Comcast Domain Helper feature for now.
Btw, don't bother with OpenDNS, it's even more insane than "Domain Helper":
$ nslookup 220.127.116.111 18.104.22.168 Server: 22.214.171.124 Address: 126.96.36.199#53 Non-authoritative answer: Name: 188.8.131.521 Address: 184.108.40.206
Update: Apparently someone filed a bug for this one - but it was closed and forwarded to debian-admin. So now it really seems that
debian.orgis missing the DS records. Deploying DNSSEC to the
debian.orghas been announced earlier this year, but it does not seem to be finished yet.
This still does not explain why fcc.gov cannot be resolved:
$ dig @220.127.116.11 fcc.gov ; <<>> DiG 9.6-ESV-R1 <<>> @18.104.22.168 fcc.gov ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached $ dig @22.214.171.124 fcc.gov ; <<>> DiG 9.6-ESV-R1 <<>> @126.96.36.199 fcc.gov ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reachedUpdate: Comcast got back to me with non-DNSSEC opt-out servers (that is, with "Domain Helper" disabled):
Standard (Opt-Out) DNS Servers: Primary: 188.8.131.52 Secondary: 184.108.40.206However, the issue persists: the new DNSSEC servers cannot resolve certain hostnames :-\