Troubleshooting DNSSEC issue w/ ic.fbi.gov
Brad.Bendily at LA.GOV
Mon Jul 29 15:25:21 UTC 2013
Did you ever get a resolution on this?
We have had intermittent trouble getting to:
www.nws.noaa.gov sites and the fix has been a full restart
of the named service. I wasn't really sure how or where to
start troubleshooting but when I saw this email I was hopeful
there would be a fix.
As someone indicated, it appears to be a problem with all .gov sites.
Has anyone confirmed if this has been fixed?
From: bind-users-bounces+brad.bendily=la.gov at lists.isc.org [mailto:bind-users-bounces+brad.bendily=la.gov at lists.isc.org] On Behalf Of Ray Van Dolson
Sent: Wednesday, July 17, 2013 11:49 AM
To: bind-users at lists.isc.org
Subject: Troubleshooting DNSSEC issue w/ ic.fbi.gov
Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving ic.fbi.gov that seems to be DNSSEC related.
Am fairly certain of this because if I set dnssec-enable and dnssec-validation to no (have them at 'yes' normally), resolution succeeds.
If I run a dig @nameserver ic.fbi.gov from a client machine, dig just hangs for a bit then eventually times out. dig @nameserver fbi.gov works fine....
On my BIND server, I see the following in a packet capture:
0.000000 18.104.22.168 -> 22.214.171.124 DNS Standard query A ic.fbi.gov
0.026504 126.96.36.199 -> 188.8.131.52 DNS Standard query response
0.026927 184.108.40.206 -> 220.127.116.11 DNS Standard query DS 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov
0.042998 18.104.22.168 -> 22.214.171.124 DNS Standard query response, No such name
0.043485 126.96.36.199 -> 188.8.131.52 DNS Standard query DS 97S2G907NEFOJ79P721E4FEQ9LR3IT1S.fbi.gov
0.048186 184.108.40.206 -> 220.127.116.11 DNS Standard query response, No such name
0.048595 18.104.22.168 -> 22.214.171.124 DNS Standard query DS 6VTIGSHGMAR334K0PFDJ5ODURDL6CUFP.fbi.gov
0.053765 126.96.36.199 -> 188.8.131.52 DNS Standard query response, No such name
30.043683 184.108.40.206 -> 220.127.116.11 DNS Standard query DS GON9PTIAV4KLS7E9NMHD9LG02RQD6K3I.fbi.gov
30.061169 18.104.22.168 -> 22.214.171.124 DNS Standard query response, No such name
So it seems like the issue is related to the DS records queried not existing, but I've checked a few DNSSEC validation tools out there by plugging ic.fbi.gov in and things appear to check out. This could be firewall related on my side (we have Checkpoint firewalls), but other DNSSEC queries appear to be working OK.
A dig @126.96.36.199 +dnssec ic.fbi.gov works OK as well also making me think the issue is somehow on my side....
Am reading up on additional troubleshooting steps for DNSSEC, but still wrapping my head around concepts.
Anyone have any tips as to where to start "digging" next based on what I'm seeing above?
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
More information about the bind-users