Troubleshooting DNSSEC issue w/ ic.fbi.gov

Ray Van Dolson rvandolson at esri.com
Wed Jul 17 18:00:20 UTC 2013 

On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote:
> On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote:
> > Hello;
> > 
> > Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version --
> > bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving
> > ic.fbi.gov that seems to be DNSSEC related.
> > 
> > Am fairly certain of this because if I set dnssec-enable and
> > dnssec-validation to no (have them at 'yes' normally), resolution
> > succeeds.
> > 
> > If I run a dig @nameserver ic.fbi.gov from a client machine, dig just
> > hangs for a bit then eventually times out.  dig @nameserver fbi.gov
> > works fine....
> 
> This is one of the weirder ones I've seen. . . there are TXT and MX
> records for ic.fbi.gov, both correctly signed:
> 
> ;; ANSWER SECTION:
> ic.fbi.gov.     261 IN  RRSIG   MX 7 3 600 20131014154120 20130716154120 32497 fbi.gov. kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw=
> ic.fbi.gov.     261 IN  MX  10 mail.ic.fbi.gov.
> ic.fbi.gov.     261 IN  RRSIG   TXT 7 3 600 20131014154120 20130716154120 32497 fbi.gov. iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY=
> ic.fbi.gov.     261 IN  TXT "v=spf1 a mx ptr:mail.leo.gov mx:mail.ic.fbi.gov ip4:153.31.119.132 a:mail.leo.gov include:mail.leo.gov mx:mail.leo.gov ?all"
> 
> There's also an NSEC3 record for ic.fbi.gov, asserting that there are
> only MX, TXT and RRSIG records for it:
> 
> 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 370 IN NSEC3 1 0 10 BBAB 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG
> 
> However, that NSEC3 record is not signed. If you ask for ic.fbi.gov
> with checking disabled but also request DNSSEC records, you'll get
> it. If you ask with checking enabled, you won't, because it can't be
> validated. This seems to be true for the whole fbi.gov zone, at least
> the records I checked. So any query to fbi.gov that returns a record
> will be okay, anything that doesn't will end up with a SERVFAIL.
> 
> Bill.
> 

Thanks for the replies, all.  Am trying to find a hostmaster contact at
fbi.gov to make them aware.

In the meantime, I'll convince Sendmail to not try to look up this
domain during sender verification. :)

Ray

More information about the bind-users mailing list