Troubleshooting DNSSEC issue w/ ic.fbi.gov

Mark Andrews marka at isc.org
Wed Jul 17 22:06:18 UTC 2013


In message <51E712E5.60502 at rancid.berkeley.edu>, Michael Sinatra writes:
> On 7/17/13 2:38 PM, Mark Andrews wrote:
> > 
> > In message <1673423961.50595218.1374096753729.JavaMail.root at k-state.edu>, "
> Lawr
> > ence K. Chen, P.Eng." writes:
> >>
> >>
> >> ----- Original Message -----
> >>> On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote:
> >>>> On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote:
> >>>>> Hello;
> >>>>>
> >>>>> Running BIND 9.8.2 in RHEL6 (at the latest vendor provided
> >>>>> version --
> >>>>> bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue
> >>>>> resolving
> >>>>> ic.fbi.gov that seems to be DNSSEC related.
> >>>>>
> >>>>> Am fairly certain of this because if I set dnssec-enable and
> >>>>> dnssec-validation to no (have them at 'yes' normally), resolution
> >>>>> succeeds.
> >>>>>
> >>>>> If I run a dig @nameserver ic.fbi.gov from a client machine, dig
> >>>>> just
> >>>>> hangs for a bit then eventually times out.  dig @nameserver
> >>>>> fbi.gov
> >>>>> works fine....
> >>>>
> >>>> This is one of the weirder ones I've seen. . . there are TXT and MX
> >>>> records for ic.fbi.gov, both correctly signed:
> >>>>
> >>>> ;; ANSWER SECTION:
> >>>> ic.fbi.gov.     261 IN  RRSIG   MX 7 3 600 20131014154120
> >>>> 20130716154120 32497 fbi.gov.
> >>>> kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk
> >>>> mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR
> >>>> OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw=
> >>>> ic.fbi.gov.     261 IN  MX  10 mail.ic.fbi.gov.
> >>>> ic.fbi.gov.     261 IN  RRSIG   TXT 7 3 600 20131014154120
> >>>> 20130716154120 32497 fbi.gov.
> >>>> iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL
> >>>> z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg
> >>>> 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY=
> >>>> ic.fbi.gov.     261 IN  TXT "v=spf1 a mx ptr:mail.leo.gov
> >>>> mx:mail.ic.fbi.gov ip4:153.31.119.132 a:mail.leo.gov
> >>>> include:mail.leo.gov mx:mail.leo.gov ?all"
> >>>>
> >>>> There's also an NSEC3 record for ic.fbi.gov, asserting that there
> >>>> are
> >>>> only MX, TXT and RRSIG records for it:
> >>>>
> >>>> 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 370 IN NSEC3 1 0 10 BBAB
> >>>> 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG
> >>>>
> >>>> However, that NSEC3 record is not signed. If you ask for ic.fbi.gov
> >>>> with checking disabled but also request DNSSEC records, you'll get
> >>>> it. If you ask with checking enabled, you won't, because it can't
> >>>> be
> >>>> validated. This seems to be true for the whole fbi.gov zone, at
> >>>> least
> >>>> the records I checked. So any query to fbi.gov that returns a
> >>>> record
> >>>> will be okay, anything that doesn't will end up with a SERVFAIL.
> >>>>
> >>>> Bill.
> >>>>
> >>>
> >>> Thanks for the replies, all.  Am trying to find a hostmaster contact
> >>> at
> >>> fbi.gov to make them aware.
> >>>
> >>> In the meantime, I'll convince Sendmail to not try to look up this
> >>> domain during sender verification. :)
> >>>
> >>> Ray
> >>> _______________________________________________
> >>
> >>
> >> Try contacting dotgov.gov
> >>
> >> registrar at dotgov.gov or 877-734-4688 or 703-948-0723
> >>
> >> They'll have phone numbers for the people they need to contact for fbi.gov
>  to
> >>  get things fixed.
> >  
> > Which would not be required if .gov had a properly functioning whois.
> > Could all US residents on this list contact your Congress Critters
> > and complain about this stupidity.
> 
> The SOA RNAME should work:
> 
> fbi.gov.        600    IN    SOA    ns1.fbi.gov. dns-admin.fbi.gov.
> 2013071601 7200 3600 2592000 43200
> 
> fbi.gov's MX is resolvable down to an IP address, so mail should get
> through, depending on your MTA.
> 
> michael

Which doesn't help you if you are using DANE to setup STARTTLS.

Now can we get useful whois for .gov rather than this farce that
is currently being done that only tells you if the sub domain exists
or not.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list