On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote: > I don't claim to be a big DNSSEC expert, but this looks just plain > wrong to me, and unbound agrees, turning it into a SERVFAIL. > > Here's a lookup that succeeds, an A record for mail.ic.fbi.gov: > > $ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 65235 > ;; QUESTION SECTION: > ;mail.ic.fbi.gov. IN A > > ;; ANSWER SECTION: > mail.ic.fbi.gov. 600 IN A 153.31.119.142 > mail.ic.fbi.gov. 600 IN RRSIG A 7 4 600 20131124123847 > 20130826123847 32497 fbi.gov. > dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiGryV > ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI > EZMTcCsnInSIn2IRb3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU= > > ;; AUTHORITY SECTION: > fbi.gov. 600 IN NS ns3.fbi.gov. > fbi.gov. 600 IN NS ns5.fbi.gov. > fbi.gov. 600 IN NS ns4.fbi.gov. > fbi.gov. 600 IN NS ns2.fbi.gov. > fbi.gov. 600 IN NS ns1.fbi.gov. > fbi.gov. 600 IN NS ns6.fbi.gov. > fbi.gov. 600 IN RRSIG NS 7 2 600 20131124123847 > 20130826123847 32497 fbi.gov. > l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0DhZfSo > 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv > UWz15jLa7N7YKYccR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY= > > Here's a query for the same name, but for AAAA which it doesn't have: > > $ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec > > ; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 65235 > ;; QUESTION SECTION: > ;mail.ic.fbi.gov. IN AAAA > > ;; AUTHORITY SECTION: > fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. > 2013082601 7200 3600 2592000 43200 > 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200 IN NSEC3 1 0 10 BBAB > 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG > fbi.gov. 600 IN RRSIG SOA 7 2 600 20131124123847 > 20130826123847 32497 fbi.gov. > QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV26IPI > 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV > J7NDY6O5jTb4MMc9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA= > > Shouldn't there be some more stuff there in the authority section, > like an NSEC3 and RRSIG for mail.ic.fbi.gov? > > Am I missing something, or is it broken? The server says it's from > Ultradns. > > R's, > John
Hi John; I don't think you're alone on this! Ref this thread (an issue we ran into with accepting mail from ic.fbi.gov due to DNSSEC validation failure) from July[1]. Have done my best to get someone's attention to fix the issue, but so far no joy. Ray [1] https://lists.isc.org/pipermail/bind-users/2013-July/091140.html