DNSSEC - refused (sometimes) query ?
115 views
Skip to first unread message
vom
Dec 15, 2009, 6:40:07 PM12/15/09
to public-dns-discuss
Hi,
Just started playing around with DNSSEC and testing from various
places WRT EDNS. I understand Google Public DNS is anycast (yes ?) so
a given answer could be coming from a different 'pod' each time. Why
would I get a REFUSED, and then a success a few seconds later ? Is
this a unique anycast instance tripping up on EDNS ? Or something
more boring like a temporary resource strain ("slashdotted"). ?
Thanks in advance.
root@nexusone:/home/vom# dig +bufsize=4096 +dnssec @8.8.8.8 gov dnskey
; <<>> DiG 9.4.2 <<>> +bufsize=4096 +dnssec @8.8.8.8 gov dnskey
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 30342
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;gov. IN DNSKEY
;; Query time: 138 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 15 18:37:58 2009
;; MSG SIZE rcvd: 21
root@nexusone:/home/vom# dig +bufsize=4096 +dnssec @8.8.8.8 gov dnskey
; <<>> DiG 9.4.2 <<>> +bufsize=4096 +dnssec @8.8.8.8 gov dnskey
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12800
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;gov. IN DNSKEY
;; ANSWER SECTION:
gov. 86400 IN DNSKEY 256 3 7 AwEAAZzsQ4vEhGwWTdbjdK7cl4hk8QI/
Cvf9jxGqsee7z8EIbxlGflhb GSxoeTob9WYP4pzewLqx8+xfIxmyqdXxBA/
qMrxTeyiexm4gNCHUM+3X
vxXhHRy61oO1UOclg9CqhvmMh2sqwtvbdvIoOIvF1aTL1GnGK9ZHl1a3
04NBaZ0F9ly2dMva+iNuKw8G9FSJzSCdsgmf+5MorOKljOdFvJChRkfX RayLFt/
dgUyjQ2v1hytyp/2Cp6b6v+BPAQxSf9uQsCZLnWs2xy6VwaqU 3uKx+TUesUpzKkUZ
+DREoLtHapKQI4nXIf21F5LRpgH/FI/AbNqjHdAr cxTuiEtBfe0=
gov. 86400 IN DNSKEY 256 3 7 AwEAAaQ6vDoHd2QDRBLwB
+n63RxnmJExvIcOz7uv9gM+l8QSMAJTTCDp qJ8R
+8UfYs97cn6LM3cT3kcl9V0GnjljNzNMk39W11Ej7htNcbf4u1n5
z2e4WsnpjQJJmKoWv2FORIfJmLKbxzGILSK13mrDUETj9onhdtOsjkhc K/7S+h1d
gov. 86400 IN DNSKEY 257 3 7 AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi+
+p5ABXSoxqJ65WQko6xrI9RIm K7IBT5roFhXjBDGJ8ld9CYIEN94kK83K/QwUGCJ
+v3vIQFi09IqsPeRd
HTQyghWWbhzAZpnlZ16imXB4yFZjdbV2iM66KcgsESQMPEcIayDQJh6J
Ei1wmslrYvRRJ6YPOWrlLD0RmdtCaRuzlUE0RiWSem/i8vDFdmsSwChR
McORklKqjqt1+RBIiEFJGKIz7lGc9DXRwkBfb+halii+jrELiZAPzfO7
rf08l3QlgHEuxclTTdEaxctPd2O2U/Hl9tRgkxRL/Zv1i0sEx2mOJGcU CeVm4Hf2aM8=
gov. 86400 IN RRSIG DNSKEY 7 1 86400 20091220121705 20091215121705
26079 gov. mf+d5N5DNyEI77JlDe+8wJ4qHH0QZXQoSlPttdtNRVbsl21yazvBG3np
6QJzLUw71QN8DF2GXFTleB4EvFVwlLlp+1HxdGIyFMJWKyGsxtjd/4ko
CddfmqpmmkoRa8YyxPnS2T4226NL5sf6E8/HkA0W719UjDzDBLopi/nm HrSMcr7+zG/
soMoSqNJHQXqFwJQJ4TBeMLoDZBSWhABeTLsNz1jPDYw3
uKIs3DIyrjQK1snOYz9Dr39Ro1k6nTxgT5DDR55Pdu7Rzp7rEoiiiYRb
PIdoeWn4165wtk30yQ3kM0rXmwlBtH4gUWpyQ/ngwWbOjD+eGiJnwBOR 8q1dfA==
gov. 86400 IN RRSIG DNSKEY 7 1 86400 20091220121705 20091215121705
51998 gov. fxkU0XpHGe5ccHSUNwsOBDN5DfcUAB88Yrxx34esWS/rhlgnlhdLifc0
0Jmm6QISTONtSqvJrSpNS/M5OkqCxGGfNFBYVFr4khXD7iugecoJgKVa
EOb6ce9d3Lr70vl+VhAKn2/9DYyZJ9td5t582YnEhdMS6jlV1BaAdp2B YvQ=
;; Query time: 99 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 15 18:37:59 2009
;; MSG SIZE rcvd: 1186
root@nexusone:/home/vom#
Just started playing around with DNSSEC and testing from various
places WRT EDNS. I understand Google Public DNS is anycast (yes ?) so
a given answer could be coming from a different 'pod' each time. Why
would I get a REFUSED, and then a success a few seconds later ? Is
this a unique anycast instance tripping up on EDNS ? Or something
more boring like a temporary resource strain ("slashdotted"). ?
Thanks in advance.
root@nexusone:/home/vom# dig +bufsize=4096 +dnssec @8.8.8.8 gov dnskey
; <<>> DiG 9.4.2 <<>> +bufsize=4096 +dnssec @8.8.8.8 gov dnskey
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 30342
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;gov. IN DNSKEY
;; Query time: 138 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 15 18:37:58 2009
;; MSG SIZE rcvd: 21
root@nexusone:/home/vom# dig +bufsize=4096 +dnssec @8.8.8.8 gov dnskey
; <<>> DiG 9.4.2 <<>> +bufsize=4096 +dnssec @8.8.8.8 gov dnskey
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12800
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;gov. IN DNSKEY
;; ANSWER SECTION:
gov. 86400 IN DNSKEY 256 3 7 AwEAAZzsQ4vEhGwWTdbjdK7cl4hk8QI/
Cvf9jxGqsee7z8EIbxlGflhb GSxoeTob9WYP4pzewLqx8+xfIxmyqdXxBA/
qMrxTeyiexm4gNCHUM+3X
vxXhHRy61oO1UOclg9CqhvmMh2sqwtvbdvIoOIvF1aTL1GnGK9ZHl1a3
04NBaZ0F9ly2dMva+iNuKw8G9FSJzSCdsgmf+5MorOKljOdFvJChRkfX RayLFt/
dgUyjQ2v1hytyp/2Cp6b6v+BPAQxSf9uQsCZLnWs2xy6VwaqU 3uKx+TUesUpzKkUZ
+DREoLtHapKQI4nXIf21F5LRpgH/FI/AbNqjHdAr cxTuiEtBfe0=
gov. 86400 IN DNSKEY 256 3 7 AwEAAaQ6vDoHd2QDRBLwB
+n63RxnmJExvIcOz7uv9gM+l8QSMAJTTCDp qJ8R
+8UfYs97cn6LM3cT3kcl9V0GnjljNzNMk39W11Ej7htNcbf4u1n5
z2e4WsnpjQJJmKoWv2FORIfJmLKbxzGILSK13mrDUETj9onhdtOsjkhc K/7S+h1d
gov. 86400 IN DNSKEY 257 3 7 AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi+
+p5ABXSoxqJ65WQko6xrI9RIm K7IBT5roFhXjBDGJ8ld9CYIEN94kK83K/QwUGCJ
+v3vIQFi09IqsPeRd
HTQyghWWbhzAZpnlZ16imXB4yFZjdbV2iM66KcgsESQMPEcIayDQJh6J
Ei1wmslrYvRRJ6YPOWrlLD0RmdtCaRuzlUE0RiWSem/i8vDFdmsSwChR
McORklKqjqt1+RBIiEFJGKIz7lGc9DXRwkBfb+halii+jrELiZAPzfO7
rf08l3QlgHEuxclTTdEaxctPd2O2U/Hl9tRgkxRL/Zv1i0sEx2mOJGcU CeVm4Hf2aM8=
gov. 86400 IN RRSIG DNSKEY 7 1 86400 20091220121705 20091215121705
26079 gov. mf+d5N5DNyEI77JlDe+8wJ4qHH0QZXQoSlPttdtNRVbsl21yazvBG3np
6QJzLUw71QN8DF2GXFTleB4EvFVwlLlp+1HxdGIyFMJWKyGsxtjd/4ko
CddfmqpmmkoRa8YyxPnS2T4226NL5sf6E8/HkA0W719UjDzDBLopi/nm HrSMcr7+zG/
soMoSqNJHQXqFwJQJ4TBeMLoDZBSWhABeTLsNz1jPDYw3
uKIs3DIyrjQK1snOYz9Dr39Ro1k6nTxgT5DDR55Pdu7Rzp7rEoiiiYRb
PIdoeWn4165wtk30yQ3kM0rXmwlBtH4gUWpyQ/ngwWbOjD+eGiJnwBOR 8q1dfA==
gov. 86400 IN RRSIG DNSKEY 7 1 86400 20091220121705 20091215121705
51998 gov. fxkU0XpHGe5ccHSUNwsOBDN5DfcUAB88Yrxx34esWS/rhlgnlhdLifc0
0Jmm6QISTONtSqvJrSpNS/M5OkqCxGGfNFBYVFr4khXD7iugecoJgKVa
EOb6ce9d3Lr70vl+VhAKn2/9DYyZJ9td5t582YnEhdMS6jlV1BaAdp2B YvQ=
;; Query time: 99 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Dec 15 18:37:59 2009
;; MSG SIZE rcvd: 1186
root@nexusone:/home/vom#
Alex Nizhner
Dec 18, 2009, 9:27:09 AM12/18/09
to public-dn...@googlegroups.com
Just started playing around with DNSSEC and testing from various
places WRT EDNS. I understand Google Public DNS is anycast (yes ?) so
a given answer could be coming from a different 'pod' each time. Why
would I get a REFUSED, and then a success a few seconds later ? Is
this a unique anycast instance tripping up on EDNS ? Or something
more boring like a temporary resource strain ("slashdotted"). ?
Thanks in advance.
Neither. You'll notice that when you do get the response, it's on the big side (1186 bytes according to your dig below). Google Public DNS is being conservative WRT protecting potential victims of amplification attacks here: it sees a lot of tiny back-to-back queries that generate very large responses to the same IP, and choosing to limit the damage by nacking some of them. We set the parameters for this so that the vast majority of users wouldn't notice, but cases like this are bound to tickle the thresholds...
Alex
--
========================================================
You received this message because you are subscribed to the GoogleGroups "public-dns-discuss" group.
To post to this group, send email to public-dn...@googlegroups.com
To unsubscribe from this group, send email topublic-dns-disc...@googlegroups.com
For more options, visit this group athttp://groups.google.com/group/public-dns-discuss?hl=en
For more information on Google Public DNS, please visit
http://code.google.com/speed/public-dns
========================================================
Jeremy Chen (陳康本)
Dec 18, 2009, 9:53:23 AM12/18/09
to public-dn...@googlegroups.com
On Fri, Dec 18, 2009 at 9:27 AM, Alex Nizhner <niz...@google.com> wrote:
Just started playing around with DNSSEC and testing from various
places WRT EDNS. I understand Google Public DNS is anycast (yes ?) so
a given answer could be coming from a different 'pod' each time. Why
would I get a REFUSED, and then a success a few seconds later ? Is
this a unique anycast instance tripping up on EDNS ? Or something
more boring like a temporary resource strain ("slashdotted"). ?
Thanks in advance.
Neither. You'll notice that when you do get the response, it's on the big side (1186 bytes according to your dig below). Google Public DNS is being conservative WRT protecting potential victims of amplification attacks here: it sees a lot of tiny back-to-back queries that generate very large responses to the same IP, and choosing to limit the damage by nacking some of them. We set the parameters for this so that the vast majority of users wouldn't notice, but cases like this are bound to tickle the thresholds...
Alex
For your information, the explanations from Alex can also be found here: http://code.google.com/speed/public-dns/docs/security.html#rate_limit
--
Jeremy Chen, Google New York Software Engineer
Reply all
Reply to author
Forward
0 new messages