Troubleshooting DNSSEC issue w/ ic.fbi.gov

Wed Jul 17 17:58:25 UTC 2013

On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote:
> Hello;
> 
> Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
> bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving
> ic.fbi.gov that seems to be DNSSEC related.
> 
> Am fairly certain of this because if I set dnssec-enable and
> dnssec-validation to no (have them at 'yes' normally), resolution
> succeeds.
> 
> If I run a dig @nameserver ic.fbi.gov from a client machine, dig just
> hangs for a bit then eventually times out.  dig @nameserver fbi.gov
> works fine....

This is one of the weirder ones I've seen. . . there are TXT and MX records for ic.fbi.gov, both correctly signed:

;; ANSWER SECTION:
ic.fbi.gov.     261 IN  RRSIG   MX 7 3 600 20131014154120 20130716154120 32497 fbi.gov. kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw=
ic.fbi.gov.     261 IN  MX  10 mail.ic.fbi.gov.
ic.fbi.gov.     261 IN  RRSIG   TXT 7 3 600 20131014154120 20130716154120 32497 fbi.gov. iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY=
ic.fbi.gov.     261 IN  TXT "v=spf1 a mx ptr:mail.leo.gov mx:mail.ic.fbi.gov ip4:153.31.119.132 a:mail.leo.gov include:mail.leo.gov mx:mail.leo.gov ?all"

There's also an NSEC3 record for ic.fbi.gov, asserting that there are only MX, TXT and RRSIG records for it:

7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 370 IN NSEC3 1 0 10 BBAB 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG

However, that NSEC3 record is not signed. If you ask for ic.fbi.gov with checking disabled but also request DNSSEC records, you'll get it. If you ask with checking enabled, you won't, because it can't be validated. This seems to be true for the whole fbi.gov zone, at least the records I checked. So any query to fbi.gov that returns a record will be okay, anything that doesn't will end up with a SERVFAIL.

Bill.