.mil postmaster Contacts?
Ray Van Dolson
rvandolson at esri.com
Wed Oct 29 15:00:34 UTC 2014
On Wed, Oct 29, 2014 at 10:43:34AM -0400, Chuck Church wrote:
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Alain Hebert
> Sent: Wednesday, October 29, 2014 9:14 AM
> To: nanog at nanog.org
> Subject: Re: .mil postmaster Contacts?
>
> > Might be related to the news (CNN this morning) about the WH network being
> exploited for a few days now.
> > They might be going after some .mil to and the tightening up of those
> networks may cause disruption.
>
>
> I think it has to do with DNSSEC. The google DNS FAQ mentions (along with
> someone else who emailed me off-list) checking DNSVIZ for issues. So
> looking at:
> http://dnsviz.net/d/disa.mil/dnssec/
>
> seems to indicate some issues. RRSET TTL MISMATCH I think they all are.
> Any DISA people on here? Using a non-Google DNS (which I guess isn't doing
> DNSSEC validation) does resolve the names fine.
>
> Chuck
I saw the same errors in dnsviz, but was unsure if they were sufficient
to cause lookup failures (they were "warnings" only).
# dig @8.8.8.8 disa.mil MX +dnssec
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 disa.mil MX +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9111
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;disa.mil. IN MX
;; ANSWER SECTION:
disa.mil. 20039 IN MX 5 indal.disa.mil.
disa.mil. 20039 IN MX 0 pico.disa.mil.
disa.mil. 20039 IN MX 10 dnipro.disa.mil.
disa.mil. 20039 IN RRSIG MX 8 2 86400 20141121222228 20141022222228 40608 disa.mil. lC2W9knYgviYJUKMYw9FJueUk4cR19spu7QsX3novmYrlOI70F0Rrzxm adU17tvfq1vbtzgYH0FriGIMdywPu/ssO7mK4KGhDj7pkQCcJZzlbrMe OlJOcC9mQcjgb6nt5KREBaIGzTGY0gA7AM6X2Ft/t9ZdsE/K+jNejgEc 4+M=
I see the "ad" flag in the query response flags, so am thinking this
lookup succeeded and was validated?
I do note that once we disabled DNSSEC on our resolvers we were able to
push mail out to these domains. May have been coincidental -- needs
further testing.
Ray
More information about the NANOG
mailing list