Is the FBI's DNSSEC broken?

Ray Van Dolson rvandolson at esri.com
Fri Aug 30 22:35:11 UTC 2013


On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote:
> I don't claim to be a big DNSSEC expert, but this looks just plain
> wrong to me, and unbound agrees, turning it into a SERVFAIL.
> 
> Here's a lookup that succeeds, an A record for mail.ic.fbi.gov:
> 
> $ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec
> 
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 65235
> ;; QUESTION SECTION:
> ;mail.ic.fbi.gov.		IN	A
> 
> ;; ANSWER SECTION:
> mail.ic.fbi.gov.	600	IN	A	153.31.119.142
> mail.ic.fbi.gov.	600	IN	RRSIG	A 7 4 600 20131124123847 20130826123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiGryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IRb3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU=
> 
> ;; AUTHORITY SECTION:
> fbi.gov.		600	IN	NS	ns3.fbi.gov.
> fbi.gov.		600	IN	NS	ns5.fbi.gov.
> fbi.gov.		600	IN	NS	ns4.fbi.gov.
> fbi.gov.		600	IN	NS	ns2.fbi.gov.
> fbi.gov.		600	IN	NS	ns1.fbi.gov.
> fbi.gov.		600	IN	NS	ns6.fbi.gov.
> fbi.gov.		600	IN	RRSIG	NS 7 2 600 20131124123847 20130826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0DhZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYccR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY=
> 
> Here's a query for the same name, but for AAAA which it doesn't have:
> 
> $ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
> 
> ; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 65235
> ;; QUESTION SECTION:
> ;mail.ic.fbi.gov.		IN	AAAA
> 
> ;; AUTHORITY SECTION:
> fbi.gov.		600	IN	SOA	ns1.fbi.gov. dns-admin.fbi.gov. 2013082601 7200 3600 2592000 43200
> 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200	IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG
> fbi.gov.		600	IN	RRSIG	SOA 7 2 600 20131124123847 20130826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MMc9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA=
> 
> Shouldn't there be some more stuff there in the authority section,
> like an NSEC3 and RRSIG for mail.ic.fbi.gov?
> 
> Am I missing something, or is it broken?  The server says it's from
> Ultradns.
> 
> R's,
> John

Hi John;

I don't think you're alone on this!  Ref this thread (an issue we ran
into with accepting mail from ic.fbi.gov due to DNSSEC validation
failure) from July[1].

Have done my best to get someone's attention to fix the issue, but so
far no joy.

Ray

[1] https://lists.isc.org/pipermail/bind-users/2013-July/091140.html



More information about the NANOG mailing list