.mil postmaster Contacts?

• Previous message (by thread): .mil postmaster Contacts?
• Next message (by thread): RBL alert: impending sh*tshow for rbl.orbitrbl.com
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well the servers for DISA.MIL are not EDNS compliant, they drop
EDNS version 1 queries and unless you are running a experimental
nameserver which expects EDNS version negotiation to work it shouldn't
be causing you issues yet.  Otherwise the lookups of the MX records
succeed.

There is no good reason to block EDNS version 1 queries. All it
does is break EDNS version negotiation.

Mark

In message <20141029150034.GA25731 at esri.com>, Ray Van Dolson writes:
> On Wed, Oct 29, 2014 at 10:43:34AM -0400, Chuck Church wrote:
> > 
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Alain Hebert
> > Sent: Wednesday, October 29, 2014 9:14 AM
> > To: nanog at nanog.org
> > Subject: Re: .mil postmaster Contacts?
> > 
> > > Might be related to the news (CNN this morning) about the WH network bein
> g
> > exploited for a few days now.
> > > They might be going after some .mil to and the tightening up of those
> > networks may cause disruption.
> > 
> > 
> > I think it has to do with DNSSEC.  The google DNS FAQ mentions (along with
> > someone else who emailed me off-list) checking DNSVIZ for issues.  So
> > looking at:
> > http://dnsviz.net/d/disa.mil/dnssec/
> > 
> > seems to indicate some issues.   RRSET TTL MISMATCH I think they all are.
> > Any DISA people on here?  Using a non-Google DNS (which I guess isn't doing
> > DNSSEC validation) does resolve the names fine.
> > 
> > Chuck
> 
> I saw the same errors in dnsviz, but was unsure if they were sufficient
> to cause lookup failures (they were "warnings" only).
> 
> # dig @8.8.8.8 disa.mil MX +dnssec
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 disa.mil MX +
> dnssec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9111
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 512
> ;; QUESTION SECTION:
> ;disa.mil.                      IN      MX
> 
> ;; ANSWER SECTION:
> disa.mil.               20039   IN      MX      5 indal.disa.mil.
> disa.mil.               20039   IN      MX      0 pico.disa.mil.
> disa.mil.               20039   IN      MX      10 dnipro.disa.mil.
> disa.mil.               20039   IN      RRSIG   MX 8 2 86400 20141121222228 2
> 0141022222228 40608 disa.mil. lC2W9knYgviYJUKMYw9FJueUk4cR19spu7QsX3novmYrlOI
> 70F0Rrzxm adU17tvfq1vbtzgYH0FriGIMdywPu/ssO7mK4KGhDj7pkQCcJZzlbrMe OlJOcC9mQc
> jgb6nt5KREBaIGzTGY0gA7AM6X2Ft/t9ZdsE/K+jNejgEc 4+M=
> 
> I see the "ad" flag in the query response flags, so am thinking this
> lookup succeeded and was validated?
> 
> I do note that once we disabled DNSSEC on our resolvers we were able to
> push mail out to these domains.  May have been coincidental -- needs
> further testing.
> 
> Ray
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): .mil postmaster Contacts?
• Next message (by thread): RBL alert: impending sh*tshow for rbl.orbitrbl.com
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]