This is the same issue I reported in bug 662077, expect that I have determined that the issue is not restricted to Time Warner servers and that it is not at all DNSSEC related. The real issue seems to be UDP checksum errors in the DNS reply packets. It seems to be somehow be related to the geographical location of the DNS server your desktop is using to resolve hostnames. From some DNS server I never get UDP checksum errors from others I get checksum errors most of the time. This is from identically configured DNS servers which do not see this issue in resolving hosts in other DNS domains. As I mentioned in the other bug, I collected data form my company network and cannot include further details int he bug itself, but will be sending a followup email to email@example.com with more information.
Assignee: server-ops → network-operations
Component: Server Operations → Server Operations: Netops
firstname.lastname@example.org is the correct email.
I found the issue. I was seeing the trouble from some but not all of our work Internet locations. It turns out that the firewall configurations on the 2 where I was seeing the issue had the Cisco inspect dns turned on. Evidently with the code level we are running that does not work correctly with DNSSEC.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
If there is a Cisco bug ID for this could you share it? It would be helpful for our knowledge base when dealing with similar reports. Thanks.
I did some searching on the Cisco website and if you have DNS inspection enabled, you have to increase the maximum permitted message length to at least 4096 in order for DNSSEC to work. I tried that, and it fixed the issue.
Summary: DNS timeouts resolving mozilla.org names form some locations → DNS timeouts resolving mozilla.org names from some locations
Product: mozilla.org → Infrastructure & Operations
You need to log in before you can comment on or make changes to this bug.