USADOTGOV.NET Root Problems?
Merton Campbell Crockett
m.c.crockett at roadrunner.com
Fri Jul 23 03:08:51 UTC 2010
Thanks for the confirmation that the problem was related to DNSSEC.
I didn't see your message until I got home from work; however, I did find the root of the problem late this afternoon. At each of our Internet egress and ingress points, we have Cisco ASA devices sitting in front of a pair of redundant firewalls. Each ASA is configured with the default DNS inspect policy that doesn't accept fragmented UDP packets.
On Jul 22, 2010, at 9:42 AM, Nicholas Wheeler wrote:
> Hello,
>
> From what I can see, radar.weather.gov is currently unsigned. There's a KSK, but I see no ZSKs, and cannot complete the chain of trust.
>
> On the other hand, noaa.gov is a signed zone, and I can complete the chain of trust. It does not seem like the usadotgov.net root name servers have a problem.
>
> If you would like to test, this is the tool used by dotgov.gov's helpdesk to test DNSSEC. Unfortunately, it's not a very good website.
>
> http://www.dnssecreport.com/DNSSECReport/DNSKeyReport.aspx
>
> Thanks,
>
> -- Nicholas Wheeler
>
> Merton Campbell Crockett wrote:
>> Does anyone know if there have been problems with the USADOTGOV.NET <http://USADOTGOV.NET> root name servers today?
>> We've had people complaining about resolving RADAR.WEATHER.GOV <http://RADAR.WEATHER.GOV> and several systems in the NOAA.GOV <http://NOAA.GOV> domain. If you query for the NS resource records, you only receive the ANSWER section. The ADDITIONAL section with the addresses is missing.
>> --
>> Merton Campbell Crockett
>> m.c.crockett at roadrunner.com <mailto:m.c.crockett at roadrunner.com>
--
Merton Campbell Crockett
m.c.crockett at roadrunner.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100722/ba6cd696/attachment.html>
More information about the bind-users
mailing list