Troubleshooting DNSSEC issue w/ ic.fbi.gov

Mark Andrews marka at isc.org
Wed Jul 17 21:38:08 UTC 2013


In message <1673423961.50595218.1374096753729.JavaMail.root at k-state.edu>, "Lawr
ence K. Chen, P.Eng." writes:
> 
> 
> ----- Original Message -----
> > On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote:
> > > On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote:
> > > > Hello;
> > > > 
> > > > Running BIND 9.8.2 in RHEL6 (at the latest vendor provided
> > > > version --
> > > > bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue
> > > > resolving
> > > > ic.fbi.gov that seems to be DNSSEC related.
> > > > 
> > > > Am fairly certain of this because if I set dnssec-enable and
> > > > dnssec-validation to no (have them at 'yes' normally), resolution
> > > > succeeds.
> > > > 
> > > > If I run a dig @nameserver ic.fbi.gov from a client machine, dig
> > > > just
> > > > hangs for a bit then eventually times out.  dig @nameserver
> > > > fbi.gov
> > > > works fine....
> > > 
> > > This is one of the weirder ones I've seen. . . there are TXT and MX
> > > records for ic.fbi.gov, both correctly signed:
> > > 
> > > ;; ANSWER SECTION:
> > > ic.fbi.gov.     261 IN  RRSIG   MX 7 3 600 20131014154120
> > > 20130716154120 32497 fbi.gov.
> > > kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk
> > > mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR
> > > OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw=
> > > ic.fbi.gov.     261 IN  MX  10 mail.ic.fbi.gov.
> > > ic.fbi.gov.     261 IN  RRSIG   TXT 7 3 600 20131014154120
> > > 20130716154120 32497 fbi.gov.
> > > iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL
> > > z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg
> > > 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY=
> > > ic.fbi.gov.     261 IN  TXT "v=spf1 a mx ptr:mail.leo.gov
> > > mx:mail.ic.fbi.gov ip4:153.31.119.132 a:mail.leo.gov
> > > include:mail.leo.gov mx:mail.leo.gov ?all"
> > > 
> > > There's also an NSEC3 record for ic.fbi.gov, asserting that there
> > > are
> > > only MX, TXT and RRSIG records for it:
> > > 
> > > 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 370 IN NSEC3 1 0 10 BBAB
> > > 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG
> > > 
> > > However, that NSEC3 record is not signed. If you ask for ic.fbi.gov
> > > with checking disabled but also request DNSSEC records, you'll get
> > > it. If you ask with checking enabled, you won't, because it can't
> > > be
> > > validated. This seems to be true for the whole fbi.gov zone, at
> > > least
> > > the records I checked. So any query to fbi.gov that returns a
> > > record
> > > will be okay, anything that doesn't will end up with a SERVFAIL.
> > > 
> > > Bill.
> > > 
> > 
> > Thanks for the replies, all.  Am trying to find a hostmaster contact
> > at
> > fbi.gov to make them aware.
> > 
> > In the meantime, I'll convince Sendmail to not try to look up this
> > domain during sender verification. :)
> > 
> > Ray
> > _______________________________________________
> 
> 
> Try contacting dotgov.gov
> 
> registrar at dotgov.gov or 877-734-4688 or 703-948-0723
> 
> They'll have phone numbers for the people they need to contact for fbi.gov to
>  get things fixed.
 
Which would not be required if .gov had a properly functioning whois.
Could all US residents on this list contact your Congress Critters
and complain about this stupidity.

Mark

> -- 
> Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
> For: Enterprise Server Technologies (EST) -- & SafeZone Ally
> Snail: Computing and Telecommunications Services (CTS)
> Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
> Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen at ksu.edu
> Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list