ocsp.verisign.com ipv6 dns broken?

Bill Owens owens at nysernet.org
Fri Oct 19 17:55:22 CEST 2012

On Fri, Oct 19, 2012 at 05:02:01PM +0200, Florian Lohoff wrote:
> Hi,
> is this a known issue? Asking for AAAA or ANY just 
> does not give ANY response which obviously breaks down
> for any resolver trying to be clever and retrieving 
> quad-A records together with a A RR

It is perhaps more correct to say that DNS for ocsp.verisign.net is broken. . .

Back in March I came across a pointer to what looked like DNSSEC problems with ocsp.verisign.com (which is a CNAME to .net) Some poking around revealed that although ocsp.verisign.net is delegated out of verisign.net, there isn't really a zone below the cut - the servers won't respond with anything except A records, no SOA, no NS (and no AAAA). This brief email exchange resulted: <http://dnssec-deployment.org/pipermail/dnssec-deployment/2012-March/005890.html>

The unofficial response from Verisign was that the queries are being handled by a GSLB, which apparently means that we should not expect it to behave correctly. At that time, however, the servers were providing NOERROR for AAAA, which at least meant the query stopped quickly. Looks like something has changed, and now they're just timing out. 

Given the not-exactly-helpful response I received from Verizon back in the spring I'm not anxious to email them about this, but you might want to give it a try. Perhaps this time they'll be less unhappy at having their problems pointed out ;)


More information about the ipv6-ops mailing list