On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote: > On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote: > > Hello; > > > > Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version -- > > bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving > > ic.fbi.gov that seems to be DNSSEC related. > > > > Am fairly certain of this because if I set dnssec-enable and > > dnssec-validation to no (have them at 'yes' normally), resolution > > succeeds. > > > > If I run a dig @nameserver ic.fbi.gov from a client machine, dig just > > hangs for a bit then eventually times out. dig @nameserver fbi.gov > > works fine.... > > This is one of the weirder ones I've seen. . . there are TXT and MX > records for ic.fbi.gov, both correctly signed: > > ;; ANSWER SECTION: > ic.fbi.gov. 261 IN RRSIG MX 7 3 600 20131014154120 20130716154120 > 32497 fbi.gov. kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk > mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR > OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw= > ic.fbi.gov. 261 IN MX 10 mail.ic.fbi.gov. > ic.fbi.gov. 261 IN RRSIG TXT 7 3 600 20131014154120 20130716154120 > 32497 fbi.gov. iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL > z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg > 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY= > ic.fbi.gov. 261 IN TXT "v=spf1 a mx ptr:mail.leo.gov mx:mail.ic.fbi.gov > ip4:153.31.119.132 a:mail.leo.gov include:mail.leo.gov mx:mail.leo.gov ?all" > > There's also an NSEC3 record for ic.fbi.gov, asserting that there are > only MX, TXT and RRSIG records for it: > > 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 370 IN NSEC3 1 0 10 BBAB > 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG > > However, that NSEC3 record is not signed. If you ask for ic.fbi.gov > with checking disabled but also request DNSSEC records, you'll get > it. If you ask with checking enabled, you won't, because it can't be > validated. This seems to be true for the whole fbi.gov zone, at least > the records I checked. So any query to fbi.gov that returns a record > will be okay, anything that doesn't will end up with a SERVFAIL. > > Bill. >
Thanks for the replies, all. Am trying to find a hostmaster contact at fbi.gov to make them aware. In the meantime, I'll convince Sendmail to not try to look up this domain during sender verification. :) Ray _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
