GTM DNSSEC and dig

It may be because the query over UDP is being truncated and is reattempted over TCP, which is blocked somewhere along the path to your GTM. Common behavior when requesting type ANY, which usually returns quite a bit of data. That's a poor testing solution by dotgov.

Thanks Cory,

I replicated this behavior in my lab using machines on the same network and double checked that I had both a TCP and UDP listener configured. It's something to consider on traffic in the wild however.

Did you perform a tcpdump to see if a TCP connection was initiated from dotgov and arrived at your GTM?

We encountered a strange situation in our environment that I want to bring up as a consideration if you have Cisco Nexus switches in your network. We noticed some DNSSEC queries were failing and upon digging into it, we found our Nexus 7k was doing some fragment inspection and dropping the fragments. The command to turn off fragment inspection is 'no hardware ip verify fragment'. You can check if it's enabled by running 'show hardware ip verify'.

I double checked that and it doesn't look like that is affecting us. The 7k's have been running for upwards to a year and we only have a few thousand hits for destination zero and a handful of checksum ones. I also tested doing the dig ANY and it didn't increment the counters.

If I do this to a bind server configured with DNSSEC it works fine and returns the DNSKEY records but if I do it to a GTM configured with DNSSEC the ANY keyword doesn't return the DNSKEY records which really tells me it's something inside the GTM. We are on 11.4 in production and 11.4.1 in my lab and both do it but I have not tested it on 11.5 yet to see if the behavior is different there.

If you run a tcpdump on your GTM, do you see it responding to the queries that aren't working? This is the best way to show that GTM is either responding correctly and the response isn't getting back to your client, or the GTM itself is the issue.