Does anyone have DNSSEC problem with uscg.mil

Khuu, Linh Contractor Linh.Khuu at ssa.gov
Thu Nov 14 18:22:55 UTC 2013 

Hi Marc,

Yes, on my DNS server, if I do a dig @8.8.8.8, I got answer (with AD bit set). I also do a dig @pac1.nipr.mil, I got answer (with AA bit set).

However, when I do dig @localhost, that is where I don't get any result at all.

All the DNSSEC tools out there, like dnsviz.net, dnsstuff.com, dnscheck.iis.se, they all show DNSSEC error for uscg.mil.

Linh Khuu
Network Security Specialist
Northrop Grumman IS | Civil Systems Division (CSD)
Office: 410-965-0746
Pager: 443-847-7551
Email: Linh.Khuu at ssa.gov<mailto:Linh.Khuu at ssa.gov>

From: Marc Lampo [mailto:marc.lampo.ietf at gmail.com]
Sent: Thursday, November 14, 2013 1:16 PM
To: Khuu, Linh Contractor
Cc: Bind Users Mailing List
Subject: Re: Does anyone have DNSSEC problem with uscg.mil

Not at this moment :
$ dig @8.8.8.8<http://8.8.8.8> mx uscg.mil<http://uscg.mil>. +dnssec

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8<http://8.8.8.8> mx uscg.mil<http://uscg.mil>. +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42506
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;uscg.mil<http://uscg.mil>.                      IN      MX

;; ANSWER SECTION:
uscg.mil<http://uscg.mil>.               8478    IN      MX      40 smtp-gateway-4.uscg.mil<http://smtp-gateway-4.uscg.mil>.
uscg.mil<http://uscg.mil>.               8478    IN      MX      40 smtp-gateway-4a.uscg.mil<http://smtp-gateway-4a.uscg.mil>.
uscg.mil<http://uscg.mil>.               8478    IN      MX      10 smtp-gateway-2.uscg.mil<http://smtp-gateway-2.uscg.mil>.
uscg.mil<http://uscg.mil>.               8478    IN      MX      20 smtp-gateway-5a.uscg.mil<http://smtp-gateway-5a.uscg.mil>.
uscg.mil<http://uscg.mil>.               8478    IN      MX      10 smtp-gateway-1.uscg.mil<http://smtp-gateway-1.uscg.mil>.
uscg.mil<http://uscg.mil>.               8478    IN      MX      20 smtp-gateway-5.uscg.mil<http://smtp-gateway-5.uscg.mil>.
uscg.mil<http://uscg.mil>.               8478    IN      MX      10 smtp-gateway-1a.uscg.mil<http://smtp-gateway-1a.uscg.mil>.
uscg.mil<http://uscg.mil>.               8478    IN      MX      10 smtp-gateway-2a.uscg.mil<http://smtp-gateway-2a.uscg.mil>.
uscg.mil<http://uscg.mil>.               8478    IN      RRSIG   MX 7 2 86400 20131118074336 20131113074105 53369 uscg.mil<http://uscg.mil>. F...
Observe : AD bit set.

Kind regards,

On Thu, Nov 14, 2013 at 7:00 PM, Khuu, Linh Contractor <Linh.Khuu at ssa.gov<mailto:Linh.Khuu at ssa.gov>> wrote:
Hi,

Does anyone have any DNSSEC problem with uscg.mil<http://uscg.mil>.

On our DNS servers, we have seen broken trust chain error and the validation failed.

14-Nov-2013 12:57:37.486 lame-servers: error (broken trust chain) resolving 'uscg.mil/A/IN<http://uscg.mil/A/IN>': 199.211.218.6#53
14-Nov-2013 12:57:37.573 lame-servers: error (broken trust chain) resolving 'uscg.mil/A/IN<http://uscg.mil/A/IN>': 199.211.218.6#53
14-Nov-2013 12:57:37.658 lame-servers: error (broken trust chain) resolving 'uscg.mil/MX/IN<http://uscg.mil/MX/IN>': 199.211.218.6#53
14-Nov-2013 12:57:37.743 lame-servers: error (broken trust chain) resolving 'uscg.mil/MX/IN<http://uscg.mil/MX/IN>': 199.211.218.6#53

14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> AAAA: in authvalidated
14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> AAAA: authvalidated: got broken trust chain
14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> AAAA: resuming nsecvalidate
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> A: starting
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> A: attempting positive response validation
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> A: in fetch_callback_validator
14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> A: fetch_callback_validator: got failure
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> MX: starting
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> MX: attempting positive response validation
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> MX: in fetch_callback_validator
14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> MX: fetch_callback_validator: got failure

Thanks,
Linh Khuu
Network Security Specialist
Northrop Grumman IS | Civil Systems Division (CSD)
Office: 410-965-0746<tel:410-965-0746>
Pager: 443-847-7551<tel:443-847-7551>
Email: Linh.Khuu at ssa.gov<mailto:Linh.Khuu at ssa.gov>
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org<mailto:bind-users at lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131114/7f7a5ed2/attachment-0001.html>

More information about the bind-users mailing list