Well complain to FEMA about the broken DNSSEC delegation. The emails
to address the complaints to are below. The DS records don't match
the DNSKEY records. None of the DNSKEY records key ids match those
in the DS records.
dig ds fema.net
dig dnskey fema.net +cd +rrcomment
Fixing this should take less than 5 minutes for someone with the
correct credentials.
The DS record that should be in place are these.
% dig fema.net dnskey +cd +rrcomm | dnssec-dsfromkey -f - fema.net
fema.net. IN DS 53044 8 1 8843998556D7DF20612518A0F6FF8F69E436F400
fema.net. IN DS 53044 8 2
42D3D6DA12B06E438A83584B8E19D06EBD6EC1010E5BD01DD68C2AFA0B73A91A
%
Mark
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: FEMA.NET
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://networksolutions.com
Name Server: ASIA2.AKAM.NET
Name Server: ASIA3.AKAM.NET
Name Server: EUR2.AKAM.NET
Name Server: USC2.AKAM.NET
Name Server: USE1.AKAM.NET
Name Server: USE3.AKAM.NET
Name Server: USW3.AKAM.NET
Name Server: USW4.AKAM.NET
Status: clientTransferProhibited
Updated Date: 29-oct-2014
Creation Date: 22-mar-1996
Expiration Date: 23-mar-2016
>>> Last update of whois database: Wed, 29 Oct 2014 20:26:25 GMT <<<
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: FEMA.NET
Registry Domain ID:
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2014-10-29T00:00:00Z
Creation Date: 1996-03-22T00:00:00Z
Registrar Registration Expiration Date: 2016-03-23T00:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: ab...@web.com
Registrar Abuse Contact Phone: +1.8003337680
Reseller:
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Federal Emergency Management Agency
Registrant Organization: Federal Emergency Management Agency
Registrant Street: 500 C Street, SW
Registrant City: Washington
Registrant State/Province: DC
Registrant Postal Code: 20472
Registrant Country: US
Registrant Phone: +1.2026462918
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ann.hirs...@dhs.gov
Registry Admin ID:
Admin Name: Federal Emergency Management Agency
Admin Organization: Federal Emergency Management Agency
Admin Street: 500 C Street, SW
Admin City: Washington
Admin State/Province: DC
Admin Postal Code: 20472
Admin Country: US
Admin Phone: +1.2026462918
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: lisa.h...@fema.dhs.gov
Registry Tech ID:
Tech Name: Hart, Lisa
Tech Organization: FEMA
Tech Street: 188 Brooke Rd
Tech City: Winchester
Tech State/Province: VA
Tech Postal Code: 22603
Tech Country: US
Tech Phone: 540-723-8096
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: lisa.h...@dhs.gov
Name Server: USE3.AKAM.NET
Name Server: USW3.AKAM.NET
Name Server: USW4.AKAM.NET
Name Server: ASIA2.AKAM.NET
Name Server: ASIA3.AKAM.NET
Name Server: EUR2.AKAM.NET
Name Server: USC2.AKAM.NET
Name Server: USE1.AKAM.NET
DNSSEC: not signed
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of whois database: Wed, 29 Oct 2014 20:26:25 GMT <<<
The data in Networksolutions.com's WHOIS database is provided to you by
Networksolutions.com for information purposes only, that is, to assist you in
obtaining information about or related to a domain name registration
record. Networksolutions.com makes this information available "as is," and
does not guarantee its accuracy. By submitting a WHOIS query, you
agree that you will use this data only for lawful purposes and that,
under no circumstances will you use this data to: (1) allow, enable,
or otherwise support the transmission of mass unsolicited, commercial
advertising or solicitations via direct mail, electronic mail, or by
telephone; or (2) enable high volume, automated, electronic processes
that apply to Networksolutions.com (or its systems). The compilation,
repackaging, dissemination or other use of this data is expressly
prohibited without the prior written consent of Networksolutions.com.
Networksolutions.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.
In message <alpine.DEB.2.10.1410290740590.15496@sol>, Antonio Querubin writes:
> On one of my servers I'm seeing numerous log entries of the following
> type:
>
> Oct 29 07:40:14 mx2 named[14747]: validating @0x7f3378be05b0: fema.net
> SOA: bad cache hit (fema.net/DNSKEY)
> Oct 29 07:40:15 mx2 named[14747]: validating @0x7f3378be05b0:
> 6o978dethbt4s0cg8sfb1jsts4ssimsc.fema.net NSEC3: bad cache hit
> (fema.net/DNSKEY)
> Oct 29 07:40:15 mx2 named[14747]: validating @0x7f3378be05b0:
> jkkfnbb4eep0h0ltjf1cisf4eo2lgnm5.fema.net NSEC3: bad cache hit
> (fema.net/DNSKEY)
> Oct 29 07:40:15 mx2 named[14747]: validating @0x7f3378be05b0: fema.net
> SOA: bad cache hit (fema.net/DNSKEY)
> Oct 29 07:40:15 mx2 named[14747]: validating @0x7f3378be05b0:
> 6o978dethbt4s0cg8sfb1jsts4ssimsc.fema.net NSEC3: bad cache hit
> (fema.net/DNSKEY)
> Oct 29 07:40:15 mx2 named[14747]: validating @0x7f3378be05b0:
> jkkfnbb4eep0h0ltjf1cisf4eo2lgnm5.fema.net NSEC3: bad cache hit
> (fema.net/DNSKEY)
> Oct 29 07:40:15 mx2 named[14747]: validating @0x7f3378be05b0: fema.net
> SOA: bad cache hit (fema.net/DNSKEY)
> Oct 29 07:40:20 mx2 named[14747]: validating @0x7f3378be05b0: fema.net
> SOA: bad cache hit (fema.net/DNSKEY)
> Oct 29 07:40:20 mx2 named[14747]: validating @0x7f3378be05b0:
> 6o978dethbt4s0cg8sfb1jsts4ssimsc.fema.net NSEC3: bad cache hit
> (fema.net/DNSKEY)
> Oct 29 07:40:20 mx2 named[14747]: validating @0x7f3378be05b0: fema.net
> SOA: bad cache hit (fema.net/DNSKEY)
> Oct 29 07:40:20 mx2 named[14747]: validating @0x7f3378be05b0:
> 6o978dethbt4s0cg8sfb1jsts4ssimsc.fema.net NSEC3: bad cache hit
> (fema.net/DNSKEY)
>
> I'm guessing this is some kind of brute force attack on BIND trying to
> take advantage of a broken dnssec configuration for fema.net? The problem
> is that the syslog is filled with these messages.
>
> Antonio Querubin
> e-mail: t...@lavanauts.org
> xmpp: antonioqueru...@gmail.com
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
