Troubleshooting DNSSEC issue w/ ic.fbi.gov
Casey Deccio
casey at deccio.net
Thu Jul 18 07:58:22 UTC 2013
On Wed, Jul 17, 2013 at 10:58 AM, Bill Owens <owens at nysernet.org> wrote:
> This is one of the weirder ones I've seen. . . there are TXT and MX records for ic.fbi.gov, both correctly signed:
>
> ...
> However, that NSEC3 record is not signed.
FWIW, DNSViz checks the chain of trust for authenticated
denial-of-existence, but it doesn't display it by default. If you
select "denial of existence" from the "DNSSEC options" then you see
some errors on the left (maybe we could have it shown by default if
there are errors).
http://dnsviz.net/d/ic.fbi.gov/Ueea1Q/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=
However, it seems the graph is missing corresponding red, dashed
arrows that are usually used to show when *some* servers are missing
RRSIGs--that will need to be looked into. Because two of the servers
are returning RRSIGs for NSEC3, it does show arrows on the
authentication chain. The rest, however, are certainly lacking
RRSIGs:
http://dnsviz.net/d/fbi.gov/UeeFmQ/servers/
Cheers,
Casey
More information about the bind-users
mailing list