Troubleshooting DNSSEC issue w/ ic.fbi.gov

Brad Bendily Brad.Bendily at LA.GOV
Mon Jul 29 15:25:21 UTC 2013


Hi Ray,
Did you ever get a resolution on this?
We have had intermittent trouble getting to:
www.nws.noaa.gov sites and the fix has been a full restart
of the named service. I wasn't really sure how or where to 
start troubleshooting but when I saw this email I was hopeful
there would be a fix.

As someone indicated, it appears to be a problem with all .gov sites.
Has anyone confirmed if this has been fixed?

Thanks
BB
 

-----Original Message-----
From: bind-users-bounces+brad.bendily=la.gov at lists.isc.org [mailto:bind-users-bounces+brad.bendily=la.gov at lists.isc.org] On Behalf Of Ray Van Dolson
Sent: Wednesday, July 17, 2013 11:49 AM
To: bind-users at lists.isc.org
Subject: Troubleshooting DNSSEC issue w/ ic.fbi.gov

Hello;

Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving ic.fbi.gov that seems to be DNSSEC related.

Am fairly certain of this because if I set dnssec-enable and dnssec-validation to no (have them at 'yes' normally), resolution succeeds.

If I run a dig @nameserver ic.fbi.gov from a client machine, dig just hangs for a bit then eventually times out.  dig @nameserver fbi.gov works fine....

On my BIND server, I see the following in a packet capture:

  0.000000 1.1.1.1 -> 156.154.64.48 DNS Standard query A ic.fbi.gov
  0.026504 156.154.64.48 -> 1.1.1.1 DNS Standard query response
  0.026927 1.1.1.1 -> 156.154.69.48 DNS Standard query DS 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov
  0.042998 156.154.69.48 -> 1.1.1.1 DNS Standard query response, No such name
  0.043485 1.1.1.1 -> 156.154.67.48 DNS Standard query DS 97S2G907NEFOJ79P721E4FEQ9LR3IT1S.fbi.gov
  0.048186 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name
  0.048595 1.1.1.1 -> 156.154.67.48 DNS Standard query DS 6VTIGSHGMAR334K0PFDJ5ODURDL6CUFP.fbi.gov
  0.053765 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name
 30.043683 1.1.1.1 -> 156.154.65.48 DNS Standard query DS GON9PTIAV4KLS7E9NMHD9LG02RQD6K3I.fbi.gov
 30.061169 156.154.65.48 -> 1.1.1.1 DNS Standard query response, No such name

So it seems like the issue is related to the DS records queried not existing, but I've checked a few DNSSEC validation tools out there by plugging ic.fbi.gov in and things appear to check out.  This could be firewall related on my side (we have Checkpoint firewalls), but other DNSSEC queries appear to be working OK.

A dig @8.8.8.8 +dnssec ic.fbi.gov works OK as well also making me think the issue is somehow on my side....

Am reading up on additional troubleshooting steps for DNSSEC, but still wrapping my head around concepts.

Anyone have any tips as to where to start "digging" next based on what I'm seeing above?

Thanks,
Ray
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list