It appears to me that the NSEC3 record that is denying the existence of the DS record for ic.fbi.gov does not have a corresponding RRSIG. That's based on a fairly cursory glance.
This seems to be the case for all of the NSEC3 records in fbi.gov. Something's messed up in fbi.gov. michael PS: Note below that the SOA record has an RRSIG but the NSEC3 record doesn't. Querying for any non-existing record (including for properly-delegated domains without DS records) in fbi.gov will cause a validation failure. schuylkill:~ ms$ dig +cdflag +dnssec ds ic.fbi.gov ; <<>> DiG 9.9.3-P1 <<>> +cdflag +dnssec ds ic.fbi.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23239 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ic.fbi.gov. IN DS ;; AUTHORITY SECTION: fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013071601 7200 3600 2592000 43200 fbi.gov. 600 IN RRSIG SOA 7 2 600 20131014154120 20130716154120 32497 fbi.gov. mjg99/NUrrtRn51Ju90FeYyIlF0IITjP/qqk4yWjVsLSDVZIr3uQ9sAn 3e/WrxWeSMteGUMixVDzCBbky5M6/hpO26v2AyKh4IV3I/gIBsy0daS6 MeOMgwhF6EK2HcFoSU24i2Np3GTY05UjpTxlcz1vvoJmBvUOgFbOBJ6d eJM= 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 600 IN NSEC3 1 0 10 BBAB 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG On 7/17/13 10:05 AM, Sten Carlsen wrote: > From here i see a fast response using the local server: > ~~~~~ > $ dig ic.fbi.gov > > ; <<>> DiG 9.7.6-P1 <<>> ic.fbi.gov > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: _/*NOERROR*/_, id: 2421 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;ic.fbi.gov. IN A > > ;; AUTHORITY SECTION: > fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. > 2013071601 7200 3600 2592000 43200 > > ;; Query time: 158 msec > ~~~~~ > No error, but no address. > > Using Google I get a servfail: > ~~~~~ > $ dig ic.fbi.gov @8.8.8.8 > > ; <<>> DiG 9.7.6-P1 <<>> ic.fbi.gov @8.8.8.8 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: *_/SERVFAIL/_*, id: 11426 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;ic.fbi.gov. IN A > > ;; Query time: 102 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Wed Jul 17 18:54:41 2013 > ;; MSG SIZE rcvd: 28 > ~~~~~ > SERVFAIL, so something is unclear. > > > On 17/07/13 18:49, Ray Van Dolson wrote: >> Hello; >> >> Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version -- >> bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving >> ic.fbi.gov that seems to be DNSSEC related. >> >> Am fairly certain of this because if I set dnssec-enable and >> dnssec-validation to no (have them at 'yes' normally), resolution >> succeeds. >> >> If I run a dig @nameserver ic.fbi.gov from a client machine, dig just >> hangs for a bit then eventually times out. dig @nameserver fbi.gov >> works fine.... >> >> On my BIND server, I see the following in a packet capture: >> >> 0.000000 1.1.1.1 -> 156.154.64.48 DNS Standard query A ic.fbi.gov >> 0.026504 156.154.64.48 -> 1.1.1.1 DNS Standard query response >> 0.026927 1.1.1.1 -> 156.154.69.48 DNS Standard query DS >> 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov >> 0.042998 156.154.69.48 -> 1.1.1.1 DNS Standard query response, No such name >> 0.043485 1.1.1.1 -> 156.154.67.48 DNS Standard query DS >> 97S2G907NEFOJ79P721E4FEQ9LR3IT1S.fbi.gov >> 0.048186 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name >> 0.048595 1.1.1.1 -> 156.154.67.48 DNS Standard query DS >> 6VTIGSHGMAR334K0PFDJ5ODURDL6CUFP.fbi.gov >> 0.053765 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name >> 30.043683 1.1.1.1 -> 156.154.65.48 DNS Standard query DS >> GON9PTIAV4KLS7E9NMHD9LG02RQD6K3I.fbi.gov >> 30.061169 156.154.65.48 -> 1.1.1.1 DNS Standard query response, No such name >> >> So it seems like the issue is related to the DS records queried not >> existing, but I've checked a few DNSSEC validation tools out there by >> plugging ic.fbi.gov in and things appear to check out. This could be >> firewall related on my side (we have Checkpoint firewalls), but other >> DNSSEC queries appear to be working OK. >> >> A dig @8.8.8.8 +dnssec ic.fbi.gov works OK as well also making me think >> the issue is somehow on my side.... >> >> Am reading up on additional troubleshooting steps for DNSSEC, but still >> wrapping my head around concepts. >> >> Anyone have any tips as to where to start "digging" next based on what >> I'm seeing above? >> >> Thanks, >> Ray >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Best regards > > Sten Carlsen > > No improvements come from shouting: > > "MALE BOVINE MANURE!!!" > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users