Re: DNS: 8.8.8.8 won't resolve noaa.gov sites?

[Lyle Giese <lyle () lcrcomputer net>]

On 09/01/11 21:41, Jay Ashworth wrote:
> [ Cross-posted to NANOG and Outages; replies to outages or outages-discussion;
> I would set the header, but Zimbra sucks.  :-) ]
>
> I've had my home box set to use 8.8.8.8 as its primary resolver, falling back
> to the BBN anycast.
>
> Sometime today, 8.8.8.8 appears to have stopped resolving www.noaa.gov and
> www.nhc.noaa.gov:
>
> ;<<>>  DiG 9.7.3-P3<<>>  @8.8.8.8 www.noaa.gov
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34999
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.noaa.gov.                  IN      A
>
> ;; Query time: 33 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Thu Sep  1 22:38:11 2011
> ;; MSG SIZE  rcvd: 30
>
> though it resolves Yahoo and Google and Akamai.com and everything else
> I throw at it.
>
> Digging noaa.gov at 4.2.2.1 returns what I expect.
>
> Interesting, too, that Firefox 5.0 wouldn't DTRT, even though 4.2.2.1-3 were
> the backup nameservers in my resolv.conf.
>
> Road Runner Tampa Bay connection.
>
> Can anyone confirm or deny?  Google DNS or NOAA people here, before I go ping
> NOAA staff on Twitter?
>
> Cheers,
> -- jra

Jay,
wonder if this has anything to do with DNSSEC?  These records were 
resigned on Sept 2 at 08:50 GMT.  If the signature expired and they were 
late in resigning the records...

I just discovered a minor issue with dnssec tools and zonesigner in 
there.  Zonesigner defaults to a 30 day expiration and they recommend 
running it once a month.  What happens in months with 31 days?

Lyle Giese
LCR Computer Services, Inc.