<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Georgia","serif";
color:#1F497D;
font-style:italic;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:#1F497D'>Hi Marc,<o:p></o:p></span></i></p><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:#1F497D'><o:p> </o:p></span></i></p><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:#1F497D'>Yes, on my DNS server, if I do a dig @8.8.8.8, I got answer (with AD bit set). I also do a dig @pac1.nipr.mil, I got answer (with AA bit set).<o:p></o:p></span></i></p><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:#1F497D'><o:p> </o:p></span></i></p><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:#1F497D'>However, when I do dig @localhost, that is where I don’t get any result at all.<o:p></o:p></span></i></p><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:#1F497D'><o:p> </o:p></span></i></p><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:#1F497D'>All the DNSSEC tools out there, like dnsviz.net, dnsstuff.com, dnscheck.iis.se, they all show DNSSEC error for uscg.mil.<o:p></o:p></span></i></p><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:#1F497D'><o:p> </o:p></span></i></p><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:blue'>Linh Khuu<br>Network Security Specialist<br>Northrop Grumman IS | Civil Systems Division (CSD)<br>Office: 410-965-0746<br>Pager: 443-847-7551<br>Email: <a href="mailto:Linh.Khuu@ssa.gov">Linh.Khuu@ssa.gov</a><o:p></o:p></span></i></p><p class=MsoNormal><i><span style='font-family:"Georgia","serif";color:#1F497D'><o:p> </o:p></span></i></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Marc Lampo [mailto:marc.lampo.ietf@gmail.com] <br><b>Sent:</b> Thursday, November 14, 2013 1:16 PM<br><b>To:</b> Khuu, Linh Contractor<br><b>Cc:</b> Bind Users Mailing List<br><b>Subject:</b> Re: Does anyone have DNSSEC problem with uscg.mil<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Not at this moment :<br>$ dig @<a href="http://8.8.8.8">8.8.8.8</a> mx <a href="http://uscg.mil">uscg.mil</a>. +dnssec<br><br>; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @<a href="http://8.8.8.8">8.8.8.8</a> mx <a href="http://uscg.mil">uscg.mil</a>. +dnssec<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42506<br>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 512<br>;; QUESTION SECTION:<br>;<a href="http://uscg.mil">uscg.mil</a>. IN MX<br><br>;; ANSWER SECTION:<br><a href="http://uscg.mil">uscg.mil</a>. 8478 IN MX 40 <a href="http://smtp-gateway-4.uscg.mil">smtp-gateway-4.uscg.mil</a>.<br><a href="http://uscg.mil">uscg.mil</a>. 8478 IN MX 40 <a href="http://smtp-gateway-4a.uscg.mil">smtp-gateway-4a.uscg.mil</a>.<br><a href="http://uscg.mil">uscg.mil</a>. 8478 IN MX 10 <a href="http://smtp-gateway-2.uscg.mil">smtp-gateway-2.uscg.mil</a>.<br><a href="http://uscg.mil">uscg.mil</a>. 8478 IN MX 20 <a href="http://smtp-gateway-5a.uscg.mil">smtp-gateway-5a.uscg.mil</a>.<br><a href="http://uscg.mil">uscg.mil</a>. 8478 IN MX 10 <a href="http://smtp-gateway-1.uscg.mil">smtp-gateway-1.uscg.mil</a>.<br><a href="http://uscg.mil">uscg.mil</a>. 8478 IN MX 20 <a href="http://smtp-gateway-5.uscg.mil">smtp-gateway-5.uscg.mil</a>.<br><a href="http://uscg.mil">uscg.mil</a>. 8478 IN MX 10 <a href="http://smtp-gateway-1a.uscg.mil">smtp-gateway-1a.uscg.mil</a>.<br><a href="http://uscg.mil">uscg.mil</a>. 8478 IN MX 10 <a href="http://smtp-gateway-2a.uscg.mil">smtp-gateway-2a.uscg.mil</a>.<br><a href="http://uscg.mil">uscg.mil</a>. 8478 IN RRSIG MX 7 2 86400 20131118074336 20131113074105 53369 <a href="http://uscg.mil">uscg.mil</a>. F...<o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>Observe : AD bit set.<br><br>Kind regards,<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Nov 14, 2013 at 7:00 PM, Khuu, Linh Contractor <<a href="mailto:Linh.Khuu@ssa.gov" target="_blank">Linh.Khuu@ssa.gov</a>> wrote:<o:p></o:p></p><p class=MsoNormal>Hi,<br><br>Does anyone have any DNSSEC problem with <a href="http://uscg.mil" target="_blank">uscg.mil</a>.<br><br>On our DNS servers, we have seen broken trust chain error and the validation failed.<br><br>14-Nov-2013 12:57:37.486 lame-servers: error (broken trust chain) resolving '<a href="http://uscg.mil/A/IN" target="_blank">uscg.mil/A/IN</a>': 199.211.218.6#53<br>14-Nov-2013 12:57:37.573 lame-servers: error (broken trust chain) resolving '<a href="http://uscg.mil/A/IN" target="_blank">uscg.mil/A/IN</a>': 199.211.218.6#53<br>14-Nov-2013 12:57:37.658 lame-servers: error (broken trust chain) resolving '<a href="http://uscg.mil/MX/IN" target="_blank">uscg.mil/MX/IN</a>': 199.211.218.6#53<br>14-Nov-2013 12:57:37.743 lame-servers: error (broken trust chain) resolving '<a href="http://uscg.mil/MX/IN" target="_blank">uscg.mil/MX/IN</a>': 199.211.218.6#53<br><br>14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> AAAA: in authvalidated<br>14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> AAAA: authvalidated: got broken trust chain<br>14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> AAAA: resuming nsecvalidate<br>14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> A: starting<br>14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> A: attempting positive response validation<br>14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> A: in fetch_callback_validator<br>14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> A: fetch_callback_validator: got failure<br>14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> MX: starting<br>14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> MX: attempting positive response validation<br>14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> MX: in fetch_callback_validator<br>14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: <a href="http://uscg.mil" target="_blank">uscg.mil</a> MX: fetch_callback_validator: got failure<br><br>Thanks,<br>Linh Khuu<br>Network Security Specialist<br>Northrop Grumman IS | Civil Systems Division (CSD)<br>Office: <a href="tel:410-965-0746">410-965-0746</a><br>Pager: <a href="tel:443-847-7551">443-847-7551</a><br>Email: <a href="mailto:Linh.Khuu@ssa.gov">Linh.Khuu@ssa.gov</a><br>_______________________________________________<br>Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br><br>bind-users mailing list<br><a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>