Maintained by: NLnet Labs DNS issues (was: Not resolving some top level domain)

Viktor Dukhovni
Tue Feb 28 00:40:44 CET 2017

On Mon, Feb 27, 2017 at 12:54:11PM +0100, Carsten Strotmann wrote:

> However the domain "" has several errors, see
> <>
> and
> <>

It so happens that just yesterday I reported problems with IPv4 DNS
to the owners of

    $ dig +noall +ans +nocl +nottl -t mx		MX	0		MX	10		MX	20

has DNSSEC-related problems as shown at:

The same can be verified with command-line DNS lookup utilities such
as "dig":

    $ dig +noall +ans +nocl +nottl -t ns		NS		NS		NS		NS

Queries to these nameservers for TLSA records fail:[]
    ; <<>> DiG 9.11.0-P3 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa @
    ;; connection timed out; no servers could be reached


and yet queries for the same name with the record type changed to
"A" correctly return an answer showing that no such name exists:[]
    ; <<>> DiG 9.11.0-P3 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit -4 +norecur -t a @
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10894
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
    ; IN A            SOA 3592 10800 600 2419200 900 NSEC A RRSIG NSEC


This looks like a misconfigured Arbor Networks firewall, that blocks
various DNS lookups over IPv4 (but not IPv6).  This is bad, since
many resolvers don't yet have IPv6 connectivity.  In addition to
potential impact on email delivery see also:

for why filtering of RRtypes is generally wrong.  Please address
this problem to ensure that email to arrives reliably in
a timely manner.