On Wed, Oct 29, 2014 at 10:43:34AM -0400, Chuck Church wrote:
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Alain Hebert Sent: Wednesday, October 29, 2014 9:14 AM To: nanog@nanog.org Subject: Re: .mil postmaster Contacts?
Might be related to the news (CNN this morning) about the WH network being exploited for a few days now. They might be going after some .mil to and the tightening up of those networks may cause disruption.
I think it has to do with DNSSEC. The google DNS FAQ mentions (along with someone else who emailed me off-list) checking DNSVIZ for issues. So looking at: http://dnsviz.net/d/disa.mil/dnssec/
seems to indicate some issues. RRSET TTL MISMATCH I think they all are. Any DISA people on here? Using a non-Google DNS (which I guess isn't doing DNSSEC validation) does resolve the names fine.
Chuck
I saw the same errors in dnsviz, but was unsure if they were sufficient to cause lookup failures (they were "warnings" only). # dig @8.8.8.8 disa.mil MX +dnssec ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 disa.mil MX +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9111 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;disa.mil. IN MX ;; ANSWER SECTION: disa.mil. 20039 IN MX 5 indal.disa.mil. disa.mil. 20039 IN MX 0 pico.disa.mil. disa.mil. 20039 IN MX 10 dnipro.disa.mil. disa.mil. 20039 IN RRSIG MX 8 2 86400 20141121222228 20141022222228 40608 disa.mil. lC2W9knYgviYJUKMYw9FJueUk4cR19spu7QsX3novmYrlOI70F0Rrzxm adU17tvfq1vbtzgYH0FriGIMdywPu/ssO7mK4KGhDj7pkQCcJZzlbrMe OlJOcC9mQcjgb6nt5KREBaIGzTGY0gA7AM6X2Ft/t9ZdsE/K+jNejgEc 4+M= I see the "ad" flag in the query response flags, so am thinking this lookup succeeded and was validated? I do note that once we disabled DNSSEC on our resolvers we were able to push mail out to these domains. May have been coincidental -- needs further testing. Ray