In message <1673423961.50595218.1374096753729.javamail.r...@k-state.edu>, "Lawr ence K. Chen, P.Eng." writes: > > > ----- Original Message ----- > > On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote: > > > On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote: > > > > Hello; > > > > > > > > Running BIND 9.8.2 in RHEL6 (at the latest vendor provided > > > > version -- > > > > bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue > > > > resolving > > > > ic.fbi.gov that seems to be DNSSEC related. > > > > > > > > Am fairly certain of this because if I set dnssec-enable and > > > > dnssec-validation to no (have them at 'yes' normally), resolution > > > > succeeds. > > > > > > > > If I run a dig @nameserver ic.fbi.gov from a client machine, dig > > > > just > > > > hangs for a bit then eventually times out. dig @nameserver > > > > fbi.gov > > > > works fine.... > > > > > > This is one of the weirder ones I've seen. . . there are TXT and MX > > > records for ic.fbi.gov, both correctly signed: > > > > > > ;; ANSWER SECTION: > > > ic.fbi.gov. 261 IN RRSIG MX 7 3 600 20131014154120 > > > 20130716154120 32497 fbi.gov. > > > kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk > > > mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR > > > OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw= > > > ic.fbi.gov. 261 IN MX 10 mail.ic.fbi.gov. > > > ic.fbi.gov. 261 IN RRSIG TXT 7 3 600 20131014154120 > > > 20130716154120 32497 fbi.gov. > > > iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL > > > z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg > > > 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY= > > > ic.fbi.gov. 261 IN TXT "v=spf1 a mx ptr:mail.leo.gov > > > mx:mail.ic.fbi.gov ip4:153.31.119.132 a:mail.leo.gov > > > include:mail.leo.gov mx:mail.leo.gov ?all" > > > > > > There's also an NSEC3 record for ic.fbi.gov, asserting that there > > > are > > > only MX, TXT and RRSIG records for it: > > > > > > 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 370 IN NSEC3 1 0 10 BBAB > > > 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG > > > > > > However, that NSEC3 record is not signed. If you ask for ic.fbi.gov > > > with checking disabled but also request DNSSEC records, you'll get > > > it. If you ask with checking enabled, you won't, because it can't > > > be > > > validated. This seems to be true for the whole fbi.gov zone, at > > > least > > > the records I checked. So any query to fbi.gov that returns a > > > record > > > will be okay, anything that doesn't will end up with a SERVFAIL. > > > > > > Bill. > > > > > > > Thanks for the replies, all. Am trying to find a hostmaster contact > > at > > fbi.gov to make them aware. > > > > In the meantime, I'll convince Sendmail to not try to look up this > > domain during sender verification. :) > > > > Ray > > _______________________________________________ > > > Try contacting dotgov.gov > > regist...@dotgov.gov or 877-734-4688 or 703-948-0723 > > They'll have phone numbers for the people they need to contact for fbi.gov to > get things fixed. Which would not be required if .gov had a properly functioning whois. Could all US residents on this list contact your Congress Critters and complain about this stupidity.
Mark > -- > Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator > For: Enterprise Server Technologies (EST) -- & SafeZone Ally > Snail: Computing and Telecommunications Services (CTS) > Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 > Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu > Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
