It doesn't help that the nameservers for treasury.gov and www.moneyfactorystore.gov are broken. They don't respond to EDNS version 1 queries.
; <<>> DiG 9.11.0pre-alpha <<>> treasury.gov dnskey @166.123.208.249 +dnssec +edns=1 ;; global options: +cmd ;; connection timed out; no servers could be reached It would be nice if the dnssec verification tools: * handles unknown EDNS version (returns BADVERS) * handles unknown EDNS option (ignores it, I've seen servers incorrectly echo it back, return BADVERS, and drop the query) * responds with > 512 bytes to a EDNS@512 byte TCP query (this requires finding a response that will be > 512 bytes) * add the OPT record to a truncated response (this requires finding a response that can be forced to truncate) The first two impact upon future DNS developement. Much easier to fix problems if you catch them early. It is a real pain having to try to figure out why you are not getting a response when there are lots of different to eliminate as the cause. The last two impact validators running behind firewalls that limit responses to 512 bytes. Mark In message <caektlitx25at8fez8w_tbahrsegjg+pobtr5b7ivh5qqhaz...@mail.gmail.com>, Casey Deccio writes: > > On Sat, Jul 26, 2014 at 2:30 PM, Ryan Rawdon <[email protected]> wrote: > > > http://dnssec-debugger.verisignlabs.com/www.moneyfactorystore.gov > > > > RRSIG=51869 and DNSKEY=51869 does not verify the A RRset (RSA > > Verification failed) > > RRSIG=54410 and DNSKEY=54410 does not verify the A RRset (RSA > > Verification failed) > > None of the 2 RRSIG and 4 DNSKEY records validate the A RRset > > The A RRset was not signed by any keys in the chain-of-trust > > > > Validation for moneyfactorystore.gov succeeds, however > > www.moneyfactorystore.gov fails. Came across this when a user pointed > > out that it was not resolving. > > > > > Hmm, DNSViz doesn't see any problems [1], and the DNS-OARC resolvers give > an authenticated response [2]. I'm not sure about the reported RSA > verification failures, but it could be that your resolver is (incorrectly) > expecting a closest encloser NSEC3 record, which isn't necessary for > wildcard responses, but which some older versions of BIND required it [3]. > What resolver are you running? > > Cheers, > Casey > > [1] http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/ > [2] https://www.dns-oarc.net/oarc/services/odvr > [3] See the following thread: > http://dnssec-deployment.org/pipermail/dnssec-deployment/2011-October/005486.html > > --089e0153668a6de7df04ff1ddb55 > Content-Type: text/html; charset=UTF-8 > Content-Transfer-Encoding: quoted-printable > > <div dir=3D"ltr">On Sat, Jul 26, 2014 at 2:30 PM, Ryan Rawdon <span dir=3D"= > ltr"><<a href=3D"mailto:[email protected]"; target=3D"_blank">[email protected]</a>= > ></span> wrote:<br><div class=3D"gmail_extra"><div class=3D"gmail_quote"= > ><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border= > -left:1px solid rgb(204,204,204);padding-left:1ex"> > > <a href=3D"http://dnssec-debugger.verisignlabs.com/www.moneyfactorystore.go= > v" target=3D"_blank">http://dnssec-debugger.verisignlabs.com/www.moneyfacto= > rystore.gov</a><br> > <br> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 RRSIG=3D51869 and DNSKEY=3D51869 does not verif= > y the A RRset (RSA Verification failed)<br> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 RRSIG=3D54410 and DNSKEY=3D54410 does not verif= > y the A RRset (RSA Verification failed)<br> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 None of the 2 RRSIG and 4 DNSKEY records valida= > te the A RRset<br> > =C2=A0 =C2=A0 =C2=A0 =C2=A0 The A RRset was not signed by any keys in the c= > hain-of-trust<br> > <br> > Validation for <a href=3D"http://moneyfactorystore.gov"; target=3D"_blank">m= > oneyfactorystore.gov</a> succeeds, however <a href=3D"http://www.moneyfacto= > rystore.gov" target=3D"_blank">www.moneyfactorystore.gov</a> fails. =C2=A0C= > ame across this when a user pointed out that it was not resolving.<br> > > > <br></blockquote><div><br></div><div>Hmm, DNSViz doesn't see any proble= > ms [1], and the DNS-OARC resolvers give an authenticated response [2].=C2= > =A0 I'm not sure about the reported RSA verification failures, but it c= > ould be that your resolver is (incorrectly) expecting a closest encloser NS= > EC3 record, which isn't necessary for wildcard responses, but which som= > e older versions of BIND required it [3].=C2=A0 What resolver are you runni= > ng?<br> > > <br></div><div>Cheers,<br></div><div>Casey<br></div><div><br>[1] <a href=3D= > "http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/"; target=3D"_b= > lank">http://dnsviz.net/d/www.moneyfactorystore.gov/U9P4fQ/dnssec/</a><br> > [2] <a href=3D"https://www.dns-oarc.net/oarc/services/odvr"; target=3D"_blan= > k">https://www.dns-oarc.net/oarc/services/odvr</a><br>[3] See the following= > thread: <a href=3D"http://dnssec-deployment.org/pipermail/dnssec-deploymen= > t/2011-October/005486.html">http://dnssec-deployment.org/pipermail/dnssec-d= > eployment/2011-October/005486.html</a><br> > > </div></div></div></div> > > --089e0153668a6de7df04ff1ddb55-- > > --===============7826947019416644396== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > --===============7826947019416644396==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
