Well the servers for DISA.MIL are not EDNS compliant, they drop EDNS version 1 queries and unless you are running a experimental nameserver which expects EDNS version negotiation to work it shouldn't be causing you issues yet. Otherwise the lookups of the MX records succeed. There is no good reason to block EDNS version 1 queries. All it does is break EDNS version negotiation. Mark In message <20141029150034.GA25731@esri.com>, Ray Van Dolson writes:
On Wed, Oct 29, 2014 at 10:43:34AM -0400, Chuck Church wrote:
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Alain Hebert Sent: Wednesday, October 29, 2014 9:14 AM To: nanog@nanog.org Subject: Re: .mil postmaster Contacts?
Might be related to the news (CNN this morning) about the WH network bein
g
exploited for a few days now.
They might be going after some .mil to and the tightening up of those networks may cause disruption.
I think it has to do with DNSSEC. The google DNS FAQ mentions (along with someone else who emailed me off-list) checking DNSVIZ for issues. So looking at: http://dnsviz.net/d/disa.mil/dnssec/
seems to indicate some issues. RRSET TTL MISMATCH I think they all are. Any DISA people on here? Using a non-Google DNS (which I guess isn't doing DNSSEC validation) does resolve the names fine.
Chuck
I saw the same errors in dnsviz, but was unsure if they were sufficient to cause lookup failures (they were "warnings" only).
# dig @8.8.8.8 disa.mil MX +dnssec
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 disa.mil MX + dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9111 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;disa.mil. IN MX
;; ANSWER SECTION: disa.mil. 20039 IN MX 5 indal.disa.mil. disa.mil. 20039 IN MX 0 pico.disa.mil. disa.mil. 20039 IN MX 10 dnipro.disa.mil. disa.mil. 20039 IN RRSIG MX 8 2 86400 20141121222228 2 0141022222228 40608 disa.mil. lC2W9knYgviYJUKMYw9FJueUk4cR19spu7QsX3novmYrlOI 70F0Rrzxm adU17tvfq1vbtzgYH0FriGIMdywPu/ssO7mK4KGhDj7pkQCcJZzlbrMe OlJOcC9mQc jgb6nt5KREBaIGzTGY0gA7AM6X2Ft/t9ZdsE/K+jNejgEc 4+M=
I see the "ad" flag in the query response flags, so am thinking this lookup succeeded and was validated?
I do note that once we disabled DNSSEC on our resolvers we were able to push mail out to these domains. May have been coincidental -- needs further testing.
Ray -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org