Resolving .gov w/dnssec

Casey Deccio casey at deccio.net
Thu Apr 22 18:29:32 UTC 2010 

On Thu, Apr 22, 2010 at 11:17 AM, Nate Itkin <bind-users at konadogs.net>wrote:

>
> Not specifically, but I log a lot of errors resolving in usps.gov. USPS
> clearly has configuration issues.  A representative sample from my logs:
>
> 19-Apr-2010 11:04:23.072 lame-servers: no valid RRSIG resolving '
> EGQ1REIRR8NVE4U6I97RO3PC2CRUU1A5.usps.gov/DS/IN': 56.0.82.25#53
> 19-Apr-2010 11:04:24.099 lame-servers: no valid RRSIG resolving '
> samtcatwe0d3.usps.gov/DS/IN': 56.0.82.25#53
> 19-Apr-2010 11:04:24.890 lame-servers: no valid DS resolving '
> samtcatwe0d3.usps.gov/AAAA/IN': 56.0.100.25#53
> 19-Apr-2010 11:04:27.975 lame-servers: no valid NSEC resolving '
> samtcatwe0d3.usps.gov/MX/IN': 56.0.100.25#53
>
>
The usps.gov servers are not returning all the appropriate RRSIGs to cover
the NSEC3 RRs returned for denial of existence.  This is consistent with all
their servers.

$ dig @dns100.usps.com +dnssec usps.gov aaaa

; <<>> DiG 9.6.1-P3 <<>> @dns100.usps.com +dnssec usps.gov cname
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40506
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;usps.gov.                      IN      CNAME

;; AUTHORITY SECTION:
usps.gov.               1800    IN      SOA     dns141.usps.com.
domainadmin.imail.usps.gov. 285717992 3600 1800 1209600 1800
usps.gov.               1800    IN      RRSIG   SOA 7 2 3600 20100502025431
20100422015431 43133 usps.gov.
grQ5+JGDwezIsv2g5jAEXARLnW/leCieA/13Uxt8zZVZmUlozObsxHEo
r3NuB1cF9MOg1NppkJbwKswC4AFg1lT9RZ3hAVEvFL4clLzgFYUlEmpN
3hdqJ+1ZO05zramz9loaP1TWcJPSUtLosFQaD4OuJHimxCxmMk0Qnke5 EAs=
EGQ1REIRR8NVE4U6I97RO3PC2CRUU1A5.usps.gov. 1800 IN NSEC3 1 0 100 -
EHU10MMN93MNBII1G8R5MUSB0EKKKFPK NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM
TYPE65534

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100422/a9d66663/attachment.html>

More information about the bind-users mailing list