On Jul 8, 2020, at 12:03 PM, Viktor Dukhovni wrote:
>
> On Wed, Jul 08, 2020 at 11:20:27AM -0700, Brian Somers wrote:
>
>># dig +noall +auth +dnssec +nocrypt grantee.fema.gov @a1-91.akam.net
>>grantee.fema.gov. 86400 IN DS 1164 10 1 [omitted]
>>grantee.fema.gov.
--- Begin Message ---
Hello Everyone,
I am the DNS SME for DHS. I was made aware of this thread, and I
wanted to post a note that we have resolved the issue and things should be
responding correctly. In the future If you see any issues with other sites
under the dhs.gov umbrella,
On Wed, Jul 08, 2020 at 05:07:43PM -0700, Brian Somers wrote:
> Interesting. I just see:
>
> # dig +cd +norecurse +tries=1 +bufsize=2000 +dnssec dnskey
> grantee.fema.gov @216.81.81.101
>
> ; <<>> DiG 9.16.4 <<>> +cd +norecurse +tries +bufsize +dnssec dnskey
> grantee.fema.gov
On Jul 8, 2020, at 12:22 PM, Stephane Bortzmeyer wrote:
>
>>
>> No. My BIND and Unbound personal resolvers (which do not have a NTA)
>> get a reply and set AD.
>
> There are probably several different instances for each authoritative
> server of grantee.fema.gov, and they behave differently.
On Jul 8, 2020, at 12:31 PM, Viktor Dukhovni wrote:
>
> With even more verbose debugging, unbound-host reports a DNSKEY response
> size of 1842 bytes.
Interesting. I just see:
# dig +cd +norecurse +tries=1 +bufsize=2000 +dnssec dnskey grantee.fema.gov
@216.81.81.101
; <<>> DiG
On Wed, Jul 08, 2020 at 03:03:57PM -0400, Viktor Dukhovni wrote:
> > However, grantee.fema.gov is horribly broken:
> > • Querying the authority for the DNSKEY without the DO bit works
> > (getting the DNSKEY with no signatures)
> > • Querying the authority for the DNSKEY with the DO bit
On Wed, Jul 08, 2020 at 09:15:02PM +0200,
Stephane Bortzmeyer wrote
a message of 57 lines which said:
> No. My BIND and Unbound personal resolvers (which do not have a NTA)
> get a reply and set AD.
There are probably several different instances for each authoritative
server of
On Wed, Jul 08, 2020 at 11:20:27AM -0700,
Brian Somers wrote
a message of 38 lines which said:
> I can only suspect that all 3 of these resolvers have an NTA for
> this domain!
No. My BIND and Unbound personal resolvers (which do not have a NTA)
get a reply and set AD. The truth is
I can confirm for 1.1.1.1. The main problem is that DNSKEY with DO bit
doesn't fit in UDP response without fragmentation and TCP retry
returns NODATA, so it's not retrievable unless you set the bufsize to
at least 1853 bytes (DO bit bumps the response size). There's a
workaround for that so at
On Wed, Jul 08, 2020 at 11:20:27AM -0700, Brian Somers wrote:
> # dig +noall +auth +dnssec +nocrypt grantee.fema.gov @a1-91.akam.net
> grantee.fema.gov. 86400 IN DS 1164 10 1 [omitted]
> grantee.fema.gov. 86400 IN RRSIG DS 8 3 86400
> 20200711020644
I thought this was worth a question here as I’m completely confused about how
this domain functions.
As a preamble, the fema.gov authorities have a grantee.fema.gov/DS RRset
and respond correctly:
# dig +short ns fema.gov
a1-91.akam.net.
a7-64.akam.net.
a8-65.akam.net.
11 matches
Mail list logo