Troubleshooting DNSSEC issue w/ ic.fbi.gov
owens at nysernet.org
Wed Jul 17 17:58:25 UTC 2013
On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote:
> Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
> bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving
> ic.fbi.gov that seems to be DNSSEC related.
> Am fairly certain of this because if I set dnssec-enable and
> dnssec-validation to no (have them at 'yes' normally), resolution
> If I run a dig @nameserver ic.fbi.gov from a client machine, dig just
> hangs for a bit then eventually times out. dig @nameserver fbi.gov
> works fine....
This is one of the weirder ones I've seen. . . there are TXT and MX records for ic.fbi.gov, both correctly signed:
;; ANSWER SECTION:
ic.fbi.gov. 261 IN RRSIG MX 7 3 600 20131014154120 20130716154120 32497 fbi.gov. kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw=
ic.fbi.gov. 261 IN MX 10 mail.ic.fbi.gov.
ic.fbi.gov. 261 IN RRSIG TXT 7 3 600 20131014154120 20130716154120 32497 fbi.gov. iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY=
ic.fbi.gov. 261 IN TXT "v=spf1 a mx ptr:mail.leo.gov mx:mail.ic.fbi.gov ip4:22.214.171.124 a:mail.leo.gov include:mail.leo.gov mx:mail.leo.gov ?all"
There's also an NSEC3 record for ic.fbi.gov, asserting that there are only MX, TXT and RRSIG records for it:
7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 370 IN NSEC3 1 0 10 BBAB 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG
However, that NSEC3 record is not signed. If you ask for ic.fbi.gov with checking disabled but also request DNSSEC records, you'll get it. If you ask with checking enabled, you won't, because it can't be validated. This seems to be true for the whole fbi.gov zone, at least the records I checked. So any query to fbi.gov that returns a record will be okay, anything that doesn't will end up with a SERVFAIL.
More information about the bind-users