.mil postmaster Contacts?

• Previous message (by thread): .mil postmaster Contacts?
• Next message (by thread): .mil postmaster Contacts?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Oct 29, 2014 at 10:43:34AM -0400, Chuck Church wrote:
> 
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Alain Hebert
> Sent: Wednesday, October 29, 2014 9:14 AM
> To: nanog at nanog.org
> Subject: Re: .mil postmaster Contacts?
> 
> > Might be related to the news (CNN this morning) about the WH network being
> exploited for a few days now.
> > They might be going after some .mil to and the tightening up of those
> networks may cause disruption.
> 
> 
> I think it has to do with DNSSEC.  The google DNS FAQ mentions (along with
> someone else who emailed me off-list) checking DNSVIZ for issues.  So
> looking at:
> http://dnsviz.net/d/disa.mil/dnssec/
> 
> seems to indicate some issues.   RRSET TTL MISMATCH I think they all are.
> Any DISA people on here?  Using a non-Google DNS (which I guess isn't doing
> DNSSEC validation) does resolve the names fine.
> 
> Chuck

I saw the same errors in dnsviz, but was unsure if they were sufficient
to cause lookup failures (they were "warnings" only).

# dig @8.8.8.8 disa.mil MX +dnssec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 disa.mil MX +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9111
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;disa.mil.                      IN      MX

;; ANSWER SECTION:
disa.mil.               20039   IN      MX      5 indal.disa.mil.
disa.mil.               20039   IN      MX      0 pico.disa.mil.
disa.mil.               20039   IN      MX      10 dnipro.disa.mil.
disa.mil.               20039   IN      RRSIG   MX 8 2 86400 20141121222228 20141022222228 40608 disa.mil. lC2W9knYgviYJUKMYw9FJueUk4cR19spu7QsX3novmYrlOI70F0Rrzxm adU17tvfq1vbtzgYH0FriGIMdywPu/ssO7mK4KGhDj7pkQCcJZzlbrMe OlJOcC9mQcjgb6nt5KREBaIGzTGY0gA7AM6X2Ft/t9ZdsE/K+jNejgEc 4+M=

I see the "ad" flag in the query response flags, so am thinking this
lookup succeeded and was validated?

I do note that once we disabled DNSSEC on our resolvers we were able to
push mail out to these domains.  May have been coincidental -- needs
further testing.

Ray

• Previous message (by thread): .mil postmaster Contacts?
• Next message (by thread): .mil postmaster Contacts?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]