Reply
Contributor
ckujau
Posts: 8
Registered: ‎12-07-2010
Accepted Solution

fcc.gov: connection timed out; no servers could be reached

[ Edited ]

After the new DNSSEC servers 75.75.75.75 & 75.75.76.76 have been assigned to my router, I cannot resolve a few hostnames:

 

------------------------------------

$ dig @75.75.76.76 fcc.gov

; <<>> DiG 9.6-ESV-R1 <<>> @75.75.76.76 fcc.gov
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

------------------------------------

 

Same for 75.75.75.75. Querying both DNS servers for other names works perfectly. Also, the DNSSEC debugger checks out fine for fcc.gov: http://dnssec-debugger.verisignlabs.com/fcc.gov

 

Notice that it does NOT return NXDOMAIN, it just times out.

 

------------------------------------

$ traceroute to 75.75.75.75 (75.75.75.75), 30 hops max, 40 byte packets
 1  192.168.0.1  0.635 ms  1.410 ms  1.639 ms
 2  c-69-181-128-1.hsd1.ca.comcast.net (69.181.128.1)  16.898 ms  17.839 ms  33.148 ms
 3  te-7-1-ur01.sfgeary.ca.sfba.comcast.net (68.87.197.9)  17.170 ms  17.271 ms  17.362 ms
 4  te-0-3-0-5-ar01.sfsutro.ca.sfba.comcast.net (68.85.154.38)  18.119 ms  18.224 ms  18.318 ms
 5  te-9-4-ur01.sanjose.ca.sfba.comcast.net (68.85.154.153)  18.640 ms  25.347 ms  25.435 ms
 6  cdns01.comcast.net (75.75.75.75)  24.570 ms  17.940 ms  17.939 ms

------------------------------------

 

Ideas?

C.

Bronze Problem Solver
Posts: 3,266
Registered: ‎05-12-2006

Re: fcc.gov: connection timed out; no servers could be reached

 


ckujau wrote:

After the new DNSSEC servers 75.75.75.75 & 75.75.76.76 have been assigned to my router, I cannot resolve a few hostnames:

 

------------------------------------

$ dig @75.75.76.76 fcc.gov

; <<>> DiG 9.6-ESV-R1 <<>> @75.75.76.76 fcc.gov
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

------------------------------------

 

Same for 75.75.75.75. Querying both DNS servers for other names works perfectly. Also, the DNSSEC debugger checks out fine for fcc.gov: http://dnssec-debugger.verisignlabs.com/fcc.gov

 

Notice that it does NOT return NXDOMAIN, it just times out.

 

------------------------------------

$ traceroute to 75.75.75.75 (75.75.75.75), 30 hops max, 40 byte packets
 1  192.168.0.1  0.635 ms  1.410 ms  1.639 ms
 2  c-69-181-128-1.hsd1.ca.comcast.net (69.181.128.1)  16.898 ms  17.839 ms  33.148 ms
 3  te-7-1-ur01.sfgeary.ca.sfba.comcast.net (68.87.197.9)  17.170 ms  17.271 ms  17.362 ms
 4  te-0-3-0-5-ar01.sfsutro.ca.sfba.comcast.net (68.85.154.38)  18.119 ms  18.224 ms  18.318 ms
 5  te-9-4-ur01.sanjose.ca.sfba.comcast.net (68.85.154.153)  18.640 ms  25.347 ms  25.435 ms
 6  cdns01.comcast.net (75.75.75.75)  24.570 ms  17.940 ms  17.939 ms

------------------------------------

 

Ideas?

C.


No ideas, but it's the same problem mentioned in this post. It's interesting that the DNSSEC stuff seemingly checks out at the other end.

 

Contributor
ckujau
Posts: 8
Registered: ‎12-07-2010

Re: fcc.gov: connection timed out; no servers could be reached

I have opened a ticket with Comcast a few days ago, but they did not get back to me yet. For now I've added a 3rd DNS in my routers searchlist - unfortunately it has this "Domain-Helper" thingy enabled :-\

Contributor
ckujau
Posts: 8
Registered: ‎12-07-2010

Re: fcc.gov: connection timed out; no servers could be reached

Comcast got back to me with non-DNSSEC opt-out servers (that is, with "Domain Helper" disabled):

 

  Standard (Opt-Out) DNS Servers:
Primary: 68.87.69.146
Secondary: 68.87.85.98

 

However, the issue persists: the new DNSSEC servers cannot resolve certain hostnames :-\

Bronze Problem Solver
Posts: 3,266
Registered: ‎05-12-2006

Re: fcc.gov: connection timed out; no servers could be reached

 


ckujau wrote:

However, the issue persists: the new DNSSEC servers cannot resolve certain hostnames :-\


An update. Checking at http://dns.comcast.net/dig-tool.php indicates that it's a problem in some regions, that 2 out of 12 servers are having this problem. It's disappointing that Comcast haven't even acknowledged that there's a problem.

 

Retired Administrator
CC_Dete
Posts: 2,486
Registered: ‎07-01-2010

Re: fcc.gov: connection timed out; no servers could be reached

 


ckujau wrote:

Comcast got back to me with non-DNSSEC opt-out servers (that is, with "Domain Helper" disabled):

 

  Standard (Opt-Out) DNS Servers:
Primary: 68.87.69.146
Secondary: 68.87.85.98

 

However, the issue persists: the new DNSSEC servers cannot resolve certain hostnames :-\


Steve and ckujau - can you post a sampling of the unresolvable host names?

 

Just 'Dete'
Retired Help Forums Admin
Contributor
ckujau
Posts: 8
Registered: ‎12-07-2010

Re: fcc.gov: connection timed out; no servers could be reached

> Steve and ckujau - can you post a sampling of the unresolvable host names?

 

See above: fcc.gov would be an unresolvable host name. However, notice that www.fcc.gov *can* be resolved via 75.75.75.75 or 75.75.76.76:

$ dig @75.75.76.76 www.fcc.gov | grep ^[a-z]
www.fcc.gov.            300 IN  CNAME  www.fcc.gov.akadns.net.
www.fcc.gov.akadns.net. 30  IN  A      192.104.54.5

Unfortunately I don't have any other examples yet, I came across fcc.gov only by chance.

Regular Contributor
Regular Contributor
Posts: 99
Registered: ‎09-13-2005

Re: fcc.gov: connection timed out; no servers could be reached

ccdete:

> can you post a sampling of the unresolvable host names?

 

There are lots of them.  See my thread.  Here are a few.

www.wrh.noaa.gov

sat.wrh.noaa.gov

www.weather.gov

www.nasa.gov

www.dnssec-failed.org

www.dnsviz.net

 

All these sites work when I use Google's 8.8.8.8!

 

Just how incompetent are the Comcast IT people?

(Not referring at all to the Comcast employees who post in these forums and are helpful.)

 

Based on the _large number of similar posts_ in this DNS forum, Comcast should fire one IT employee per week until the problem is solved.  I predict that the problem would be fixed before the second week arrived.  Seriously.

 

Too many similar problems for too long.  Management needs to get their full attention and committment.

 

Customers don't pay this _huge_ amount of money for this level of incompetence.

 

Contributor
ckujau
Posts: 8
Registered: ‎12-07-2010

Re: fcc.gov: connection timed out; no servers could be reached

> There are lots of them. See my thread. Here are a few.

> sat.wrh.noaa.gov

> www.wrh.noaa.gov

> www.nasa.gov

> www.weather.gov

> www.dnssec-failed.org

> www.dnsviz.net

 

Indeed these names cannot be resolved via 75.75.75.75 or 75.75.76.76. However:

 

* All your .gov examples are answered with NXDOMAIN, which makes one assume that DNSSEC is not working for those - but all of them (.gov) are checking out just fine.

 

* These two last examples fail the DNSSEC tests too (intentionally) - but instead of answering with NXDOMAIN, Comcasts DNSSEC servers just time out.

 

So, again: we have a workaround (add a 2nd or 3rd non-DNSSEC server to your resolver). But some real fix for this would be appreciated :-)

Official Employee
ComcastChrisGr
Posts: 329
Registered: ‎07-10-2008

Re: fcc.gov: connection timed out; no servers could be reached

 


ckujau wrote:

> There are lots of them. See my thread. Here are a few.

> sat.wrh.noaa.gov

> www.wrh.noaa.gov

> www.nasa.gov

> www.weather.gov

> www.dnssec-failed.org

> www.dnsviz.net

 

Indeed these names cannot be resolved via 75.75.75.75 or 75.75.76.76. However:

 

* All your .gov examples are answered with NXDOMAIN, which makes one assume that DNSSEC is not working for those - but all of them (.gov) are checking out just fine.

 

* These two last examples fail the DNSSEC tests too (intentionally) - but instead of answering with NXDOMAIN, Comcasts DNSSEC servers just time out.

 

So, again: we have a workaround (add a 2nd or 3rd non-DNSSEC server to your resolver). But some real fix for this would be appreciated :-)


 

We are currently investigating why these are failing and we will reply once we get resolution.

 

Thanks

 

Chris

Comcast

Retired Administrator
CC_Dete
Posts: 2,486
Registered: ‎07-01-2010

Re: fcc.gov: connection timed out; no servers could be reached

All - this should now be resolved. Please recheck this and let me know what you're seeing.

 

Just 'Dete'
Retired Help Forums Admin
Contributor
ckujau
Posts: 8
Registered: ‎12-07-2010

Re: fcc.gov: connection timed out; no servers could be reached

[ Edited ]

> All - this should now be resolved. Please recheck this and

> let me know what you're seeing.

 

OK, so fcc.gov and the other hostnames mentioned earlier are now resolving. But what about the sites that are actually failing DNSSEC validation? Clearly www.dnssec-failed.org fails DNSSEC validation, and so does www.nasa.gov bugs.debian.org. But instead of answering with SERVFAIL (see your FAQ), it answers with the (hopefully) correct address.

 

So, either the FAQ has to be changed or someone has to look at those name servers again. (Yes, I realize that answering with SERVFAIL would be inconvenient to the enduser and I got bitten by it too).

 

$ dig @75.75.76.76 www.dnssec-failed.org


; <<>> DiG 9.6-ESV-R3 <<>> @75.75.76.76 www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28472
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; ANSWER SECTION:
www.dnssec-failed.org.  6376    IN      A       68.87.64.48

;; Query time: 12 msec
;; SERVER: 75.75.76.76#53(75.75.76.76)
;; WHEN: Thu Dec 16 13:03:58 2010
;; MSG SIZE  rcvd: 55

 

Thanks,

Christian.

Retired Administrator
CC_Dete
Posts: 2,486
Registered: ‎07-01-2010

Re: fcc.gov: connection timed out; no servers could be reached

Thanks - we'll take another look at this.

Just 'Dete'
Retired Help Forums Admin
Contributor
ckujau
Posts: 8
Registered: ‎12-07-2010

Re: fcc.gov: connection timed out; no servers could be reached

It seems this has been solved. fcc.gov (and other .gov domains) are being resolved with 75.75.75.75 and 75.75.76.76, while www.dnssec-failed.org is answered with SERVFAIL, just as expected:

 

$ dig @75.75.75.75 www.dnssec-failed.org


; <<>> DiG 9.7.2-P3 <<>> @75.75.75.75 www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9012
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; Query time: 14 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Sun Feb 27 23:09:40 2011
;; MSG SIZE  rcvd: 39


Thanks!