I get a call, that a site in .FR doesn’t work. Right:

    dig fr ns
    fr.			172700	IN	NS	a.nic.fr.
    fr.			172700	IN	NS	g.ext.nic.fr.
    fr.			172700	IN	NS	e.ext.nic.fr.
    fr.			172700	IN	NS	d.nic.fr.
    fr.			172700	IN	NS	c.nic.fr.
    fr.			172700	IN	NS	f.ext.nic.fr.
    fr.			172700	IN	NS	d.ext.nic.fr.
    dig d.nic.fr
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22465

Now, the operative bit here is SERVFAIL, which is returned by all name servers. So, let’s see what happens if I tell my recursive resolver to disable checking (+cd flag)

    dig +cd d.nic.fr
    d.nic.fr.		107661	IN	A

Oh. Bad. Something happened. But what? Their DNSKEY seems to have gone AWOL. Huh? Lots of badness. I’m trying to get in touch with them. Update: everything seems to be back to normal.

DNS and dnssec :: 12 Feb 2011 :: e-mail