Troubleshooting DNSSEC issue w/ ic.fbi.gov

Sten Carlsen stenc at s-carlsen.dk
Wed Jul 17 17:05:14 UTC 2013 

>From here i see a fast response using the local server:
~~~~~
$ dig ic.fbi.gov

; <<>> DiG 9.7.6-P1 <<>> ic.fbi.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: _/*NOERROR*/_, id: 2421
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ic.fbi.gov.            IN    A

;; AUTHORITY SECTION:
fbi.gov.        600    IN    SOA    ns1.fbi.gov. dns-admin.fbi.gov.
2013071601 7200 3600 2592000 43200

;; Query time: 158 msec
~~~~~
No error, but no address.

Using Google I get a servfail:
~~~~~
$ dig ic.fbi.gov @8.8.8.8

; <<>> DiG 9.7.6-P1 <<>> ic.fbi.gov @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *_/SERVFAIL/_*, id: 11426
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ic.fbi.gov.            IN    A

;; Query time: 102 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 17 18:54:41 2013
;; MSG SIZE  rcvd: 28
~~~~~
SERVFAIL, so something is unclear.


On 17/07/13 18:49, Ray Van Dolson wrote:
> Hello;
>
> Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
> bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving
> ic.fbi.gov that seems to be DNSSEC related.
>
> Am fairly certain of this because if I set dnssec-enable and
> dnssec-validation to no (have them at 'yes' normally), resolution
> succeeds.
>
> If I run a dig @nameserver ic.fbi.gov from a client machine, dig just
> hangs for a bit then eventually times out.  dig @nameserver fbi.gov
> works fine....
>
> On my BIND server, I see the following in a packet capture:
>
>   0.000000 1.1.1.1 -> 156.154.64.48 DNS Standard query A ic.fbi.gov
>   0.026504 156.154.64.48 -> 1.1.1.1 DNS Standard query response
>   0.026927 1.1.1.1 -> 156.154.69.48 DNS Standard query DS 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov
>   0.042998 156.154.69.48 -> 1.1.1.1 DNS Standard query response, No such name
>   0.043485 1.1.1.1 -> 156.154.67.48 DNS Standard query DS 97S2G907NEFOJ79P721E4FEQ9LR3IT1S.fbi.gov
>   0.048186 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name
>   0.048595 1.1.1.1 -> 156.154.67.48 DNS Standard query DS 6VTIGSHGMAR334K0PFDJ5ODURDL6CUFP.fbi.gov
>   0.053765 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name
>  30.043683 1.1.1.1 -> 156.154.65.48 DNS Standard query DS GON9PTIAV4KLS7E9NMHD9LG02RQD6K3I.fbi.gov
>  30.061169 156.154.65.48 -> 1.1.1.1 DNS Standard query response, No such name
>
> So it seems like the issue is related to the DS records queried not
> existing, but I've checked a few DNSSEC validation tools out there by
> plugging ic.fbi.gov in and things appear to check out.  This could be
> firewall related on my side (we have Checkpoint firewalls), but other
> DNSSEC queries appear to be working OK.
>
> A dig @8.8.8.8 +dnssec ic.fbi.gov works OK as well also making me think
> the issue is somehow on my side....
>
> Am reading up on additional troubleshooting steps for DNSSEC, but still
> wrapping my head around concepts.
>
> Anyone have any tips as to where to start "digging" next based on what
> I'm seeing above?
>
> Thanks,
> Ray
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130717/ac810e24/attachment.html>

More information about the bind-users mailing list