Troubleshooting DNSSEC issue w/ ic.fbi.gov
Sten Carlsen
stenc at s-carlsen.dk
Wed Jul 17 17:05:14 UTC 2013
>From here i see a fast response using the local server:
~~~~~
$ dig ic.fbi.gov
; <<>> DiG 9.7.6-P1 <<>> ic.fbi.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: _/*NOERROR*/_, id: 2421
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ic.fbi.gov. IN A
;; AUTHORITY SECTION:
fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov.
2013071601 7200 3600 2592000 43200
;; Query time: 158 msec
~~~~~
No error, but no address.
Using Google I get a servfail:
~~~~~
$ dig ic.fbi.gov @8.8.8.8
; <<>> DiG 9.7.6-P1 <<>> ic.fbi.gov @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: *_/SERVFAIL/_*, id: 11426
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ic.fbi.gov. IN A
;; Query time: 102 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 17 18:54:41 2013
;; MSG SIZE rcvd: 28
~~~~~
SERVFAIL, so something is unclear.
On 17/07/13 18:49, Ray Van Dolson wrote:
> Hello;
>
> Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
> bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving
> ic.fbi.gov that seems to be DNSSEC related.
>
> Am fairly certain of this because if I set dnssec-enable and
> dnssec-validation to no (have them at 'yes' normally), resolution
> succeeds.
>
> If I run a dig @nameserver ic.fbi.gov from a client machine, dig just
> hangs for a bit then eventually times out. dig @nameserver fbi.gov
> works fine....
>
> On my BIND server, I see the following in a packet capture:
>
> 0.000000 1.1.1.1 -> 156.154.64.48 DNS Standard query A ic.fbi.gov
> 0.026504 156.154.64.48 -> 1.1.1.1 DNS Standard query response
> 0.026927 1.1.1.1 -> 156.154.69.48 DNS Standard query DS 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov
> 0.042998 156.154.69.48 -> 1.1.1.1 DNS Standard query response, No such name
> 0.043485 1.1.1.1 -> 156.154.67.48 DNS Standard query DS 97S2G907NEFOJ79P721E4FEQ9LR3IT1S.fbi.gov
> 0.048186 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name
> 0.048595 1.1.1.1 -> 156.154.67.48 DNS Standard query DS 6VTIGSHGMAR334K0PFDJ5ODURDL6CUFP.fbi.gov
> 0.053765 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name
> 30.043683 1.1.1.1 -> 156.154.65.48 DNS Standard query DS GON9PTIAV4KLS7E9NMHD9LG02RQD6K3I.fbi.gov
> 30.061169 156.154.65.48 -> 1.1.1.1 DNS Standard query response, No such name
>
> So it seems like the issue is related to the DS records queried not
> existing, but I've checked a few DNSSEC validation tools out there by
> plugging ic.fbi.gov in and things appear to check out. This could be
> firewall related on my side (we have Checkpoint firewalls), but other
> DNSSEC queries appear to be working OK.
>
> A dig @8.8.8.8 +dnssec ic.fbi.gov works OK as well also making me think
> the issue is somehow on my side....
>
> Am reading up on additional troubleshooting steps for DNSSEC, but still
> wrapping my head around concepts.
>
> Anyone have any tips as to where to start "digging" next based on what
> I'm seeing above?
>
> Thanks,
> Ray
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130717/ac810e24/attachment.html>
More information about the bind-users
mailing list