Troubleshooting DNSSEC issue w/ ic.fbi.gov

Michael Sinatra michael at rancid.berkeley.edu
Wed Jul 17 21:55:49 UTC 2013


On 7/17/13 2:38 PM, Mark Andrews wrote:
> 
> In message <1673423961.50595218.1374096753729.JavaMail.root at k-state.edu>, "Lawr
> ence K. Chen, P.Eng." writes:
>>
>>
>> ----- Original Message -----
>>> On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote:
>>>> On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote:
>>>>> Hello;
>>>>>
>>>>> Running BIND 9.8.2 in RHEL6 (at the latest vendor provided
>>>>> version --
>>>>> bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue
>>>>> resolving
>>>>> ic.fbi.gov that seems to be DNSSEC related.
>>>>>
>>>>> Am fairly certain of this because if I set dnssec-enable and
>>>>> dnssec-validation to no (have them at 'yes' normally), resolution
>>>>> succeeds.
>>>>>
>>>>> If I run a dig @nameserver ic.fbi.gov from a client machine, dig
>>>>> just
>>>>> hangs for a bit then eventually times out.  dig @nameserver
>>>>> fbi.gov
>>>>> works fine....
>>>>
>>>> This is one of the weirder ones I've seen. . . there are TXT and MX
>>>> records for ic.fbi.gov, both correctly signed:
>>>>
>>>> ;; ANSWER SECTION:
>>>> ic.fbi.gov.     261 IN  RRSIG   MX 7 3 600 20131014154120
>>>> 20130716154120 32497 fbi.gov.
>>>> kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk
>>>> mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR
>>>> OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw=
>>>> ic.fbi.gov.     261 IN  MX  10 mail.ic.fbi.gov.
>>>> ic.fbi.gov.     261 IN  RRSIG   TXT 7 3 600 20131014154120
>>>> 20130716154120 32497 fbi.gov.
>>>> iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL
>>>> z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg
>>>> 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY=
>>>> ic.fbi.gov.     261 IN  TXT "v=spf1 a mx ptr:mail.leo.gov
>>>> mx:mail.ic.fbi.gov ip4:153.31.119.132 a:mail.leo.gov
>>>> include:mail.leo.gov mx:mail.leo.gov ?all"
>>>>
>>>> There's also an NSEC3 record for ic.fbi.gov, asserting that there
>>>> are
>>>> only MX, TXT and RRSIG records for it:
>>>>
>>>> 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 370 IN NSEC3 1 0 10 BBAB
>>>> 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG
>>>>
>>>> However, that NSEC3 record is not signed. If you ask for ic.fbi.gov
>>>> with checking disabled but also request DNSSEC records, you'll get
>>>> it. If you ask with checking enabled, you won't, because it can't
>>>> be
>>>> validated. This seems to be true for the whole fbi.gov zone, at
>>>> least
>>>> the records I checked. So any query to fbi.gov that returns a
>>>> record
>>>> will be okay, anything that doesn't will end up with a SERVFAIL.
>>>>
>>>> Bill.
>>>>
>>>
>>> Thanks for the replies, all.  Am trying to find a hostmaster contact
>>> at
>>> fbi.gov to make them aware.
>>>
>>> In the meantime, I'll convince Sendmail to not try to look up this
>>> domain during sender verification. :)
>>>
>>> Ray
>>> _______________________________________________
>>
>>
>> Try contacting dotgov.gov
>>
>> registrar at dotgov.gov or 877-734-4688 or 703-948-0723
>>
>> They'll have phone numbers for the people they need to contact for fbi.gov to
>>  get things fixed.
>  
> Which would not be required if .gov had a properly functioning whois.
> Could all US residents on this list contact your Congress Critters
> and complain about this stupidity.

The SOA RNAME should work:

fbi.gov.        600    IN    SOA    ns1.fbi.gov. dns-admin.fbi.gov.
2013071601 7200 3600 2592000 43200

fbi.gov's MX is resolvable down to an IP address, so mail should get
through, depending on your MTA.

michael




More information about the bind-users mailing list