When trying the DNSSEC check command from: https://www.dns-oarc.net/oarc/services/replysizetest
behind our corporate firewall, I get: rst.x476.rs.dns-oarc.net. rst.x485.x476.rs.dns-oarc.net. rst.x490.x485.x476.rs.dns-oarc.net. "Tested at 2011-09-27 20:32:34 UTC" "205.172.49.177 sent EDNS buffer size 4096" "205.172.49.177 DNS reply size limit is at least 490" Which, based on the website tells me our firewall is blocking or filtering EDNS/DNSSEC packets. However, what I'm confused about is when I run this command: dig +dnssec eeoc.gov I get: ; <<>> DiG 9.7.3-P1 <<>> +dnssec eeoc.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40572 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;eeoc.gov. IN A ;; ANSWER SECTION: eeoc.gov. 19499 IN A 64.94.64.52 eeoc.gov. 19499 IN RRSIG A 7 2 21600 20111208014816 20110909014816 52909 eeoc.gov. AW5Ny32xDP7+m4XxCSS7q/zuK8RBc+la70Zmg0A/Pe1+p0agkrzbxaHM GgvKldSKCzVgo7XPGR3LqcGIFDl0CPaaSTxTntlZkdh6x2qS4mM/49+B 9podxzbV3V4LcNpR4c4jyteAa5Uxaz3WSRr1T69PpJyIZZ53JmexkMPi yOjMcp1IqeSJ0P/06CuZccemo+f/fjGW8xfG/slOp2XJlmbPo1EfJnlw i07YstZVszHxsgmRUXssEUmkWi3eqAw4Ug2QiRa+zz3JpmgBnC0G7Kxd SXUJLuvfNdDrtJ9T5anNVRVxCVq499gaJQnWBXKKVVaC9w/BcPnGuSRy OZTyPg== ;; AUTHORITY SECTION: eeoc.gov. 66519 IN NS dnssec10.datamtn.com. eeoc.gov. 66519 IN NS dnssec14.datamtn.com. eeoc.gov. 66519 IN NS dnssec11.datamtn.com. eeoc.gov. 66519 IN NS dnssec12.datamtn.com. eeoc.gov. 66519 IN NS dnssec9.datamtn.com. ;; ADDITIONAL SECTION: dnssec9.datamtn.com. 3114 IN AAAA 2001:49f0:a02a:1000::238 dnssec11.datamtn.com. 3114 IN AAAA 2001:470:1:7a::147 dnssec9.datamtn.com. 3114 IN RRSIG AAAA 7 3 10800 20111125185428 20110827185428 21352 datamtn.com. Ngz7Bl2VWqhIY5Uh8bHJjwyAWQXcEM7qaAH8JSJ5VM5qMelfVA1pV+Y6 RltfXpACQxRpHsayiArGZulzp1XX4yW6+qsHiKLJOcRiS5kmjexBPUlK zyU3cp7BC5dprHyPBpXKbHExuGlvqrg1aqRJtAmH6Q7tkp2wWqEuO3Ku LBvvGXN46U+sYPsd98YixlLLTtj2qFo7/vhPN8ao2g6HuFBVIUTU4LuV d7Wjz+r4Xj722w6RFgZFu9qFwYsOQwTGlon4zqDvflzESSWSjFdzHCZ0 prkagjXwcZYMlQGRMgnmHlEEvvg+lKMdl4imHLx/LKLD+feCzp2d4PFj 9byoYA== dnssec9.datamtn.com. 3114 IN RRSIG AAAA 8 3 10800 20111125185428 20110827185428 61898 datamtn.com. NtPfKvEs6DF0Bac9ZbCfi0b0QdeVMSlaNXAyDFSjo4J8uQUYllDwt101 C78VAiXplumZRM/9Vv7fg1/Ds/qCd6wC6wdTR3S8mtDOpLHVhuZTSGI1 jBVBXYjzBdqIBitydwD6vs+VaPsfd352NBqE8teFQJhbVAI98+d9BO4x /Qx+i2HJOPdQyVRq6dj2NYg1GT4ODDb6VmQUOb01XgIyX/pLt+7AdtId 1FFbA9LfO4xvYTCKAO3LbPvdU7nJ2+mCMu5CNQFNiwAbSHT3letupzpH yLUNrjhcO0cj/vVf1YrrIzZXF69zKGYfsCP876zKoVtlrUe1dZ0bersP 4I9klg== dnssec11.datamtn.com. 3114 IN RRSIG AAAA 7 3 10800 20111125185428 20110827185428 21352 datamtn.com. Lgt6Wq5JvvAF6BKUUoPSiv6lx0yqQ3HAFoClEcg11V7XhIngeaTperu7 7lytmKl53yZUxarFbQdJ/NxwwNVl/F2Os5RkNHkAjVTkku1mjoMeqEhF NDe+cvYOOo0EASc9LhmHo2qgkyhjGAt1FtbmrOG9Gwr5OdUM5l2EgcGj bRvH1Sfv5le68ST1+74sQPKmp+3n0gopfKUlcYuDDw/mUKXR8lo3MCTv xe6q6NbwHNHWBCgUw4rqX4ZdVArL4WumKvkufeieDJpMhKwHlWHyPvu9 pX1IsZRyQPo9RqnmSpG+yjR59ixbb23LyO6alrEDJTyaJZL8uHfwiTQ8 4V29tQ== dnssec11.datamtn.com. 3114 IN RRSIG AAAA 8 3 10800 20111125185428 20110827185428 61898 datamtn.com. vtFFEZbruIfnwSGAdlXukUn40SOEIZY9QXrHh6CfOl3WkQduSnbvgS5T +e2QN6GDcZgigGON8yHHTS8DI8ld/tCxxVkwB3ISkqkQHrjyyRD6+8IR J2BWsdMTyAhe9PygLR1FkfCt1JDaDnAbOKOniMT+6DRlnE7ZW7KfvZT/ 7j5qG+xDixCXUHyhnstbv9vmMPTxnK1ASy6nz7ErnA/DUMleO484xIgM 6Pc8uqy3Onw4Yfn4l5R66tQwC0yoSVwqmEyIWNWyx1SNQLFzUc1hySaF aQs1L/Zyu9e/wSHdZUeGiOwx5cz3yWE2NsF3tagxukkL9vNu2s/nyjzR 3igT3g== ;; Query time: 1 msec ;; SERVER: 10.120.11.107#53(10.120.11.107) ;; WHEN: Tue Sep 27 15:34:07 2011 ;; MSG SIZE rcvd: 1726 Which tells me my DNSSEC queries are working, right? I noticed in the "OPT PSEUDOSECTION" udp=4096. This started because, as the DNS admin, I was informed today that we could not resolve this domain, eeoc.gov. Which was true. As I started digging into it, and performing a dig from an offsite server which was working, I found that the domain "eeoc.gov" is running DNSSEC. So, I assumed the problem was with our firewall blocking or filtering the DNSSEC traffic. But then after researching for a few hours, I found we were able to resolve the domain, through no changes of DNS. It could be that "datamtn.com", their authoritative NS are performing maintenance or something. So, all this research led me to the information above. Are we getting EDNS/DNSSEC responses or no? thanks bb _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
