DNS: 8.8.8.8 won't resolve noaa.gov sites?

Jay_Ashworth · September 2, 2011, 2:41am

[ Cross-posted to NANOG and Outages; replies to outages or outages-discussion;
I would set the header, but Zimbra sucks. ]

I've had my home box set to use 8.8.8.8 as its primary resolver, falling back
to the BBN anycast.

Sometime today, 8.8.8.8 appears to have stopped resolving www.noaa.gov and
www.nhc.noaa.gov:

; <<>> DiG 9.7.3-P3 <<>> @8.8.8.8 www.noaa.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34999
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.noaa.gov. IN A

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 1 22:38:11 2011
;; MSG SIZE rcvd: 30

though it resolves Yahoo and Google and Akamai.com and everything else
I throw at it.

Digging noaa.gov at 4.2.2.1 returns what I expect.

Interesting, too, that Firefox 5.0 wouldn't DTRT, even though 4.2.2.1-3 were
the backup nameservers in my resolv.conf.

Road Runner Tampa Bay connection.

Can anyone confirm or deny? Google DNS or NOAA people here, before I go ping
NOAA staff on Twitter?

Cheers,
-- jra

Paul5 · September 2, 2011, 2:56am

Working fine for me:

$ dig @8.8.8.8 www.noaa.gov

; <<>> DiG 9.7.3 <<>> @8.8.8.8 www.noaa.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64856
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.noaa.gov. IN A

;; ANSWER SECTION:
www.noaa.gov. 279 IN CNAME edge-hdq.woc.noaa.gov.
edge-hdq.woc.noaa.gov. 279 IN CNAME edge-rev.lb.noaa.gov.
edge-rev.lb.noaa.gov. 9 IN A 140.90.200.23
edge-rev.lb.noaa.gov. 9 IN A 140.172.17.23
edge-rev.lb.noaa.gov. 9 IN A 129.15.96.23
edge-rev.lb.noaa.gov. 9 IN A 140.90.33.23

;; Query time: 25 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 2 02:54:13 2011
;; MSG SIZE rcvd: 147

$ dig @8.8.8.8 www.nhc.noaa.gov

; <<>> DiG 9.7.3 <<>> @8.8.8.8 www.nhc.noaa.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36145
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nhc.noaa.gov. IN A

;; ANSWER SECTION:
www.nhc.noaa.gov. 293 IN CNAME edge-nws.woc.noaa.gov.
edge-nws.woc.noaa.gov. 293 IN CNAME edge-rev.lb.noaa.gov.
edge-rev.lb.noaa.gov. 23 IN A 140.172.17.23
edge-rev.lb.noaa.gov. 23 IN A 129.15.96.23
edge-rev.lb.noaa.gov. 23 IN A 140.90.33.23
edge-rev.lb.noaa.gov. 23 IN A 140.90.200.23

;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 2 02:56:18 2011
;; MSG SIZE rcvd: 151

Jay_Ashworth · September 2, 2011, 3:00am

Yeah; it was reliably broken all day, and of course, it's now fine here too.

Either someone at NOAA or Google saw that and applied a Magic Kick, or
I was just unlucky.

Sorry for the noise, folks.

Cheers,
-- jra

Lyle · September 2, 2011, 12:52pm

Jay,
wonder if this has anything to do with DNSSEC? These records were resigned on Sept 2 at 08:50 GMT. If the signature expired and they were late in resigning the records...

I just discovered a minor issue with dnssec tools and zonesigner in there. Zonesigner defaults to a 30 day expiration and they recommend running it once a month. What happens in months with 31 days?

Lyle Giese
LCR Computer Services, Inc.