In message <20130830223510.ga10...@esri.com>, Ray Van Dolson writes: > On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote: > > I don't claim to be a big DNSSEC expert, but this looks just plain > > wrong to me, and unbound agrees, turning it into a SERVFAIL. > > > > Here's a lookup that succeeds, an A record for mail.ic.fbi.gov: > > > > $ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec > > > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222 > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1 > > ;; WARNING: recursion requested but not available > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags: do; udp: 65235 > > ;; QUESTION SECTION: > > ;mail.ic.fbi.gov. IN A > > > > ;; ANSWER SECTION: > > mail.ic.fbi.gov. 600 IN A 153.31.119.142 > > mail.ic.fbi.gov. 600 IN RRSIG A 7 4 600 20131124123847 201308 > 26123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiG > ryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IR > b3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU= > > > > ;; AUTHORITY SECTION: > > fbi.gov. 600 IN NS ns3.fbi.gov. > > fbi.gov. 600 IN NS ns5.fbi.gov. > > fbi.gov. 600 IN NS ns4.fbi.gov. > > fbi.gov. 600 IN NS ns2.fbi.gov. > > fbi.gov. 600 IN NS ns1.fbi.gov. > > fbi.gov. 600 IN NS ns6.fbi.gov. > > fbi.gov. 600 IN RRSIG NS 7 2 600 20131124123847 20130 > 826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0Dh > ZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYc > cR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY= > > > > Here's a query for the same name, but for AAAA which it doesn't have: > > > > $ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec > > > > ; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec > > ; (2 servers found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056 > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 > > ;; WARNING: recursion requested but not available > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags: do; udp: 65235 > > ;; QUESTION SECTION: > > ;mail.ic.fbi.gov. IN AAAA > > > > ;; AUTHORITY SECTION: > > fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. > 2013082601 7200 3600 2592000 43200 > > 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200 IN NSEC3 1 0 10 BBAB 97 > S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG > > fbi.gov. 600 IN RRSIG SOA 7 2 600 20131124123847 2013 > 0826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV > 26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MM > c9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA= > > > > Shouldn't there be some more stuff there in the authority section, > > like an NSEC3 and RRSIG for mail.ic.fbi.gov?
The NSEC3 is there and it is correct. What is missing is the signature for the NSEC3. % nsec3hash BBAB 1 10 mail.ic.fbi.gov 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR (salt=BBAB, hash=1, iterations=10) % Mark > > Am I missing something, or is it broken? The server says it's from > > Ultradns. > > > > R's, > > John > > Hi John; > > I don't think you're alone on this! Ref this thread (an issue we ran > into with accepting mail from ic.fbi.gov due to DNSSEC validation > failure) from July[1]. > > Have done my best to get someone's attention to fix the issue, but so > far no joy. > > Ray > > [1] https://lists.isc.org/pipermail/bind-users/2013-July/091140.html > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org