Hi Ray, Did you ever get a resolution on this? We have had intermittent trouble getting to: www.nws.noaa.gov sites and the fix has been a full restart of the named service. I wasn't really sure how or where to start troubleshooting but when I saw this email I was hopeful there would be a fix.
As someone indicated, it appears to be a problem with all .gov sites. Has anyone confirmed if this has been fixed? Thanks BB -----Original Message----- From: bind-users-bounces+brad.bendily=la....@lists.isc.org [mailto:bind-users-bounces+brad.bendily=la....@lists.isc.org] On Behalf Of Ray Van Dolson Sent: Wednesday, July 17, 2013 11:49 AM To: bind-users@lists.isc.org Subject: Troubleshooting DNSSEC issue w/ ic.fbi.gov Hello; Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version -- bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving ic.fbi.gov that seems to be DNSSEC related. Am fairly certain of this because if I set dnssec-enable and dnssec-validation to no (have them at 'yes' normally), resolution succeeds. If I run a dig @nameserver ic.fbi.gov from a client machine, dig just hangs for a bit then eventually times out. dig @nameserver fbi.gov works fine.... On my BIND server, I see the following in a packet capture: 0.000000 1.1.1.1 -> 156.154.64.48 DNS Standard query A ic.fbi.gov 0.026504 156.154.64.48 -> 1.1.1.1 DNS Standard query response 0.026927 1.1.1.1 -> 156.154.69.48 DNS Standard query DS 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov 0.042998 156.154.69.48 -> 1.1.1.1 DNS Standard query response, No such name 0.043485 1.1.1.1 -> 156.154.67.48 DNS Standard query DS 97S2G907NEFOJ79P721E4FEQ9LR3IT1S.fbi.gov 0.048186 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name 0.048595 1.1.1.1 -> 156.154.67.48 DNS Standard query DS 6VTIGSHGMAR334K0PFDJ5ODURDL6CUFP.fbi.gov 0.053765 156.154.67.48 -> 1.1.1.1 DNS Standard query response, No such name 30.043683 1.1.1.1 -> 156.154.65.48 DNS Standard query DS GON9PTIAV4KLS7E9NMHD9LG02RQD6K3I.fbi.gov 30.061169 156.154.65.48 -> 1.1.1.1 DNS Standard query response, No such name So it seems like the issue is related to the DS records queried not existing, but I've checked a few DNSSEC validation tools out there by plugging ic.fbi.gov in and things appear to check out. This could be firewall related on my side (we have Checkpoint firewalls), but other DNSSEC queries appear to be working OK. A dig @8.8.8.8 +dnssec ic.fbi.gov works OK as well also making me think the issue is somehow on my side.... Am reading up on additional troubleshooting steps for DNSSEC, but still wrapping my head around concepts. Anyone have any tips as to where to start "digging" next based on what I'm seeing above? Thanks, Ray _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
