dnssec question. confused.

Brad Bendily Brad.Bendily at LA.GOV
Tue Sep 27 20:45:16 UTC 2011


When trying the DNSSEC check command from:
https://www.dns-oarc.net/oarc/services/replysizetest

behind our corporate firewall, I get:
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"Tested at 2011-09-27 20:32:34 UTC"
"205.172.49.177 sent EDNS buffer size 4096"
"205.172.49.177 DNS reply size limit is at least 490"


Which, based on the website tells me our firewall is blocking 
or filtering EDNS/DNSSEC packets.



However, what I'm confused about is when I run this command:
dig +dnssec eeoc.gov

I get:

; <<>> DiG 9.7.3-P1 <<>> +dnssec eeoc.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40572
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;eeoc.gov.                      IN      A

;; ANSWER SECTION:
eeoc.gov.               19499   IN      A       64.94.64.52
eeoc.gov.               19499   IN      RRSIG   A 7 2 21600 20111208014816 20110909014816 52909 eeoc.gov. AW5Ny32xDP7+m4XxCSS7q/zuK8RBc+la70Zmg0A/Pe1+p0agkrzbxaHM GgvKldSKCzVgo7XPGR3LqcGIFDl0CPaaSTxTntlZkdh6x2qS4mM/49+B 9podxzbV3V4LcNpR4c4jyteAa5Uxaz3WSRr1T69PpJyIZZ53JmexkMPi yOjMcp1IqeSJ0P/06CuZccemo+f/fjGW8xfG/slOp2XJlmbPo1EfJnlw i07YstZVszHxsgmRUXssEUmkWi3eqAw4Ug2QiRa+zz3JpmgBnC0G7Kxd SXUJLuvfNdDrtJ9T5anNVRVxCVq499gaJQnWBXKKVVaC9w/BcPnGuSRy OZTyPg==

;; AUTHORITY SECTION:
eeoc.gov.               66519   IN      NS      dnssec10.datamtn.com.
eeoc.gov.               66519   IN      NS      dnssec14.datamtn.com.
eeoc.gov.               66519   IN      NS      dnssec11.datamtn.com.
eeoc.gov.               66519   IN      NS      dnssec12.datamtn.com.
eeoc.gov.               66519   IN      NS      dnssec9.datamtn.com.

;; ADDITIONAL SECTION:
dnssec9.datamtn.com.    3114    IN      AAAA    2001:49f0:a02a:1000::238
dnssec11.datamtn.com.   3114    IN      AAAA    2001:470:1:7a::147
dnssec9.datamtn.com.    3114    IN      RRSIG   AAAA 7 3 10800 20111125185428 20110827185428 21352 datamtn.com. Ngz7Bl2VWqhIY5Uh8bHJjwyAWQXcEM7qaAH8JSJ5VM5qMelfVA1pV+Y6 RltfXpACQxRpHsayiArGZulzp1XX4yW6+qsHiKLJOcRiS5kmjexBPUlK zyU3cp7BC5dprHyPBpXKbHExuGlvqrg1aqRJtAmH6Q7tkp2wWqEuO3Ku LBvvGXN46U+sYPsd98YixlLLTtj2qFo7/vhPN8ao2g6HuFBVIUTU4LuV d7Wjz+r4Xj722w6RFgZFu9qFwYsOQwTGlon4zqDvflzESSWSjFdzHCZ0 prkagjXwcZYMlQGRMgnmHlEEvvg+lKMdl4imHLx/LKLD+feCzp2d4PFj 9byoYA==
dnssec9.datamtn.com.    3114    IN      RRSIG   AAAA 8 3 10800 20111125185428 20110827185428 61898 datamtn.com. NtPfKvEs6DF0Bac9ZbCfi0b0QdeVMSlaNXAyDFSjo4J8uQUYllDwt101 C78VAiXplumZRM/9Vv7fg1/Ds/qCd6wC6wdTR3S8mtDOpLHVhuZTSGI1 jBVBXYjzBdqIBitydwD6vs+VaPsfd352NBqE8teFQJhbVAI98+d9BO4x /Qx+i2HJOPdQyVRq6dj2NYg1GT4ODDb6VmQUOb01XgIyX/pLt+7AdtId 1FFbA9LfO4xvYTCKAO3LbPvdU7nJ2+mCMu5CNQFNiwAbSHT3letupzpH yLUNrjhcO0cj/vVf1YrrIzZXF69zKGYfsCP876zKoVtlrUe1dZ0bersP 4I9klg==
dnssec11.datamtn.com.   3114    IN      RRSIG   AAAA 7 3 10800 20111125185428 20110827185428 21352 datamtn.com. Lgt6Wq5JvvAF6BKUUoPSiv6lx0yqQ3HAFoClEcg11V7XhIngeaTperu7 7lytmKl53yZUxarFbQdJ/NxwwNVl/F2Os5RkNHkAjVTkku1mjoMeqEhF NDe+cvYOOo0EASc9LhmHo2qgkyhjGAt1FtbmrOG9Gwr5OdUM5l2EgcGj bRvH1Sfv5le68ST1+74sQPKmp+3n0gopfKUlcYuDDw/mUKXR8lo3MCTv xe6q6NbwHNHWBCgUw4rqX4ZdVArL4WumKvkufeieDJpMhKwHlWHyPvu9 pX1IsZRyQPo9RqnmSpG+yjR59ixbb23LyO6alrEDJTyaJZL8uHfwiTQ8 4V29tQ==
dnssec11.datamtn.com.   3114    IN      RRSIG   AAAA 8 3 10800 20111125185428 20110827185428 61898 datamtn.com. vtFFEZbruIfnwSGAdlXukUn40SOEIZY9QXrHh6CfOl3WkQduSnbvgS5T +e2QN6GDcZgigGON8yHHTS8DI8ld/tCxxVkwB3ISkqkQHrjyyRD6+8IR J2BWsdMTyAhe9PygLR1FkfCt1JDaDnAbOKOniMT+6DRlnE7ZW7KfvZT/ 7j5qG+xDixCXUHyhnstbv9vmMPTxnK1ASy6nz7ErnA/DUMleO484xIgM 6Pc8uqy3Onw4Yfn4l5R66tQwC0yoSVwqmEyIWNWyx1SNQLFzUc1hySaF aQs1L/Zyu9e/wSHdZUeGiOwx5cz3yWE2NsF3tagxukkL9vNu2s/nyjzR 3igT3g==

;; Query time: 1 msec
;; SERVER: 10.120.11.107#53(10.120.11.107)
;; WHEN: Tue Sep 27 15:34:07 2011
;; MSG SIZE  rcvd: 1726


Which tells me my DNSSEC queries are working, right?
I noticed in the "OPT PSEUDOSECTION" udp=4096.

This started because, as the DNS admin, I was informed today that we could not resolve
this domain, eeoc.gov. Which was true. As I started digging into it, and performing a
dig from an offsite server which was working, I found that the domain "eeoc.gov" is 
running DNSSEC. So, I assumed the problem was with our firewall blocking or filtering
the DNSSEC traffic. But then after researching for a few hours, I found we were able
to resolve the domain, through no changes of DNS. 
It could be that "datamtn.com", their authoritative NS are performing
maintenance or something. So, all this research led me to the information above.

Are we getting EDNS/DNSSEC responses or no?
thanks
bb



More information about the bind-users mailing list