Is the FBI's DNSSEC broken?

• Previous message (by thread): Google corporate network engineer
• Next message (by thread): Is the FBI's DNSSEC broken?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't claim to be a big DNSSEC expert, but this looks just plain wrong
to me, and unbound agrees, turning it into a SERVFAIL.

Here's a lookup that succeeds, an A record for mail.ic.fbi.gov:

$ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65235
;; QUESTION SECTION:
;mail.ic.fbi.gov.		IN	A

;; ANSWER SECTION:
mail.ic.fbi.gov.	600	IN	A	153.31.119.142
mail.ic.fbi.gov.	600	IN	RRSIG	A 7 4 600 20131124123847 20130826123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiGryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IRb3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU=

;; AUTHORITY SECTION:
fbi.gov.		600	IN	NS	ns3.fbi.gov.
fbi.gov.		600	IN	NS	ns5.fbi.gov.
fbi.gov.		600	IN	NS	ns4.fbi.gov.
fbi.gov.		600	IN	NS	ns2.fbi.gov.
fbi.gov.		600	IN	NS	ns1.fbi.gov.
fbi.gov.		600	IN	NS	ns6.fbi.gov.
fbi.gov.		600	IN	RRSIG	NS 7 2 600 20131124123847 20130826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0DhZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYccR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY=

Here's a query for the same name, but for AAAA which it doesn't have:

$ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec

; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65235
;; QUESTION SECTION:
;mail.ic.fbi.gov.		IN	AAAA

;; AUTHORITY SECTION:
fbi.gov.		600	IN	SOA	ns1.fbi.gov. dns-admin.fbi.gov. 2013082601 7200 3600 2592000 43200
95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200	IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG
fbi.gov.		600	IN	RRSIG	SOA 7 2 600 20131124123847 20130826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MMc9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA=

Shouldn't there be some more stuff there in the authority section, like an NSEC3 and RRSIG
for mail.ic.fbi.gov?

Am I missing something, or is it broken?  The server says it's from Ultradns.

R's,
John

• Previous message (by thread): Google corporate network engineer
• Next message (by thread): Is the FBI's DNSSEC broken?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]