Single domain DNSSEC related issue apparently affecting only Google resolvers

[philli...@gmail.com]

Hi

8.8.8.8/8.8.4.4 cannot currently resolve lchost.net (or hostnames under that domain)

This domain works fine with other open resolvers (Level3, OpenDNS, Quad1, Quad9, OARC DNSSEC Validating resolvers)

I can only get a result from Google's resolvers if I use the +cd flag (Step 4 - https://developers.google.com/speed/public-dns/docs/troubleshooting) to disable DNSSEC, but the domain is fine with other DNSSEC validating resolvers, and DNSViz etc is fine.

Google can resolve other domains on the same authoritative servers fine.

Any suggestions?

Phil

[Phillip Baker]

To add that this isn't just affecting a single client: this came to light because a customer reported that it wasn't resolving for them. I've now had at least 5 confirmed instances of this not resolving properly via Google's resolvers from around the UK., and have this morning validated that the same happens when querying 8.8.8.8 from datacentres in LA, Sydney and Singapore. This issue appears to be continuous, and appears to be consistent across the 8.8.8.8 anycast nodes.

http://dnsviz.net/d/lchost.net/dnssec/ suggests no problems (that are inside my sphere of control)