On Feb 3, 2012, at 9:53 AM, Cricket Liu wrote: > > On Feb 3, 2012, at 7:25 AM, Bill Owens wrote: > >> On Fri, Feb 03, 2012 at 10:04:19AM -0500, Lear, Karen (Evolver) wrote: >>> Who would be responsible for opening a trouble report to GoDaddy? I don't >>> understand exactly what the problem is here. >> >> It looks, from the outside, as though the Oppedahl Patent Law Firm LLC uses >> GoDaddy for DNS registration, DNS server hosting, and web server hosting. >> They're also DNSSEC-signing their domain (for which they should be praised ;) >> >> The GoDaddy DNS servers are distributed around the network in various >> colocation sites, and reachable by IP anycast, which means that a number of >> different hosts will answer queries as if they were 'dns1.oppedahl.com', >> they are all reachable over the same IP address, and normal IP routing takes >> your DNS queries to the closest one. When I query for oppedahl.com, I use >> servers in Chicago and they work fine. When you're trying to query for >> oppedahl.com, you're likely using the same Washington, DC area server that >> Florian was using, and it is broken; it doesn't respond to queries that use >> EDNS0, and therefore can't handle DNSSEC. > > This is consistent with something I noticed earlier: DNSViz validates > oppedahl.com's chain of trust without a problem, but Verisign Labs' DNSSEC > Debugger reports no response from oppedahl.com's name servers. DNSViz is > hosted by Sandia, presumably in New Mexico, while Verisign Labs is in the > D.C. area. > > Running an anycast instance that doesn't support EDNS0, though? Yeesh!
A brief update: Go Daddy says they've checked and it's not their fault, that their East Coast name servers do support EDNS0, but Verisign's DNSSEC Debugger is now magically not spewing errors when I test oppedahl.com. cricket _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
