Troubleshooting DNSSEC issue w/ ic.fbi.gov
Ray Van Dolson
rvandolson at esri.com
Wed Jul 17 16:49:18 UTC 2013
Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving
ic.fbi.gov that seems to be DNSSEC related.
Am fairly certain of this because if I set dnssec-enable and
dnssec-validation to no (have them at 'yes' normally), resolution
If I run a dig @nameserver ic.fbi.gov from a client machine, dig just
hangs for a bit then eventually times out. dig @nameserver fbi.gov
On my BIND server, I see the following in a packet capture:
0.000000 22.214.171.124 -> 126.96.36.199 DNS Standard query A ic.fbi.gov
0.026504 188.8.131.52 -> 184.108.40.206 DNS Standard query response
0.026927 220.127.116.11 -> 18.104.22.168 DNS Standard query DS 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov
0.042998 22.214.171.124 -> 126.96.36.199 DNS Standard query response, No such name
0.043485 188.8.131.52 -> 184.108.40.206 DNS Standard query DS 97S2G907NEFOJ79P721E4FEQ9LR3IT1S.fbi.gov
0.048186 220.127.116.11 -> 18.104.22.168 DNS Standard query response, No such name
0.048595 22.214.171.124 -> 126.96.36.199 DNS Standard query DS 6VTIGSHGMAR334K0PFDJ5ODURDL6CUFP.fbi.gov
0.053765 188.8.131.52 -> 184.108.40.206 DNS Standard query response, No such name
30.043683 220.127.116.11 -> 18.104.22.168 DNS Standard query DS GON9PTIAV4KLS7E9NMHD9LG02RQD6K3I.fbi.gov
30.061169 22.214.171.124 -> 126.96.36.199 DNS Standard query response, No such name
So it seems like the issue is related to the DS records queried not
existing, but I've checked a few DNSSEC validation tools out there by
plugging ic.fbi.gov in and things appear to check out. This could be
firewall related on my side (we have Checkpoint firewalls), but other
DNSSEC queries appear to be working OK.
A dig @188.8.131.52 +dnssec ic.fbi.gov works OK as well also making me think
the issue is somehow on my side....
Am reading up on additional troubleshooting steps for DNSSEC, but still
wrapping my head around concepts.
Anyone have any tips as to where to start "digging" next based on what
I'm seeing above?
More information about the bind-users