Hi, David I work at Google Public DNS and will take a look at this issue. No RRSIG should be returned unless the client set the DO bit to ask for it.
Thanks Yunhong On Thu, Nov 15, 2012 at 9:12 AM, MailPlus| David Hofstee <da...@mailplus.nl> wrote: > Hi, > > We've been seeing automatic RRSIG records on Google DNS lately, the 8.8.8.8 > en 8.8.4.4. They are not always provided. They cause problems for some of our > customers in a weird way I cannot explain. For them these records do not > resolve but I cannot reproduce it. > > So when I run dig command > > dig @8.8.8.8 m1.mailplus.nl > > it often provides the RRSIG record (but e.g. the TXT record will not be > signed). I've heard that DNS may fall back to TCP and/or may be filtered by > firewalls if UDP is over 512 bytes. However, the request is not that long, > about 200 bytes if I interpret the answer correctly. > > Can someone come up with a good explanation why a tiny percentage of our > customers cannot resolve (some of) our domains? > > Btw, our nameservers (transip.nl) only provide DNSSEC records if explicitly > asked. What is standard here? > > > Thanks, > > David Hofstee