Is the FBI's DNSSEC broken?
I don't claim to be a big DNSSEC expert, but this looks just plain wrong to me, and unbound agrees, turning it into a SERVFAIL. Here's a lookup that succeeds, an A record for mail.ic.fbi.gov: $ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN A ;; ANSWER SECTION: mail.ic.fbi.gov. 600 IN A 153.31.119.142 mail.ic.fbi.gov. 600 IN RRSIG A 7 4 600 20131124123847 20130826123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiGryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IRb3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU= ;; AUTHORITY SECTION: fbi.gov. 600 IN NS ns3.fbi.gov. fbi.gov. 600 IN NS ns5.fbi.gov. fbi.gov. 600 IN NS ns4.fbi.gov. fbi.gov. 600 IN NS ns2.fbi.gov. fbi.gov. 600 IN NS ns1.fbi.gov. fbi.gov. 600 IN NS ns6.fbi.gov. fbi.gov. 600 IN RRSIG NS 7 2 600 20131124123847 20130826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0DhZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYccR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY= Here's a query for the same name, but for AAAA which it doesn't have: $ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec ; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN AAAA ;; AUTHORITY SECTION: fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013082601 7200 3600 2592000 43200 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200 IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG fbi.gov. 600 IN RRSIG SOA 7 2 600 20131124123847 20130826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MMc9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA= Shouldn't there be some more stuff there in the authority section, like an NSEC3 and RRSIG for mail.ic.fbi.gov? Am I missing something, or is it broken? The server says it's from Ultradns. R's, John
On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote:
I don't claim to be a big DNSSEC expert, but this looks just plain wrong to me, and unbound agrees, turning it into a SERVFAIL.
Here's a lookup that succeeds, an A record for mail.ic.fbi.gov:
$ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN A
;; ANSWER SECTION: mail.ic.fbi.gov. 600 IN A 153.31.119.142 mail.ic.fbi.gov. 600 IN RRSIG A 7 4 600 20131124123847 20130826123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiGryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IRb3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU=
;; AUTHORITY SECTION: fbi.gov. 600 IN NS ns3.fbi.gov. fbi.gov. 600 IN NS ns5.fbi.gov. fbi.gov. 600 IN NS ns4.fbi.gov. fbi.gov. 600 IN NS ns2.fbi.gov. fbi.gov. 600 IN NS ns1.fbi.gov. fbi.gov. 600 IN NS ns6.fbi.gov. fbi.gov. 600 IN RRSIG NS 7 2 600 20131124123847 20130826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0DhZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYccR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY=
Here's a query for the same name, but for AAAA which it doesn't have:
$ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN AAAA
;; AUTHORITY SECTION: fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013082601 7200 3600 2592000 43200 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200 IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG fbi.gov. 600 IN RRSIG SOA 7 2 600 20131124123847 20130826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MMc9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA=
Shouldn't there be some more stuff there in the authority section, like an NSEC3 and RRSIG for mail.ic.fbi.gov?
Am I missing something, or is it broken? The server says it's from Ultradns.
R's, John
Hi John; I don't think you're alone on this! Ref this thread (an issue we ran into with accepting mail from ic.fbi.gov due to DNSSEC validation failure) from July[1]. Have done my best to get someone's attention to fix the issue, but so far no joy. Ray [1] https://lists.isc.org/pipermail/bind-users/2013-July/091140.html
In message <20130830223510.GA10878@esri.com>, Ray Van Dolson writes:
On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote:
I don't claim to be a big DNSSEC expert, but this looks just plain wrong to me, and unbound agrees, turning it into a SERVFAIL.
Here's a lookup that succeeds, an A record for mail.ic.fbi.gov:
$ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN A
;; ANSWER SECTION: mail.ic.fbi.gov. 600 IN A 153.31.119.142 mail.ic.fbi.gov. 600 IN RRSIG A 7 4 600 20131124123847 201308 26123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiG ryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IR b3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU=
;; AUTHORITY SECTION: fbi.gov. 600 IN NS ns3.fbi.gov. fbi.gov. 600 IN NS ns5.fbi.gov. fbi.gov. 600 IN NS ns4.fbi.gov. fbi.gov. 600 IN NS ns2.fbi.gov. fbi.gov. 600 IN NS ns1.fbi.gov. fbi.gov. 600 IN NS ns6.fbi.gov. fbi.gov. 600 IN RRSIG NS 7 2 600 20131124123847 20130 826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0Dh ZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYc cR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY=
Here's a query for the same name, but for AAAA which it doesn't have:
$ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN AAAA
;; AUTHORITY SECTION: fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013082601 7200 3600 2592000 43200 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200 IN NSEC3 1 0 10 BBAB 97 S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG fbi.gov. 600 IN RRSIG SOA 7 2 600 20131124123847 2013 0826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV 26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MM c9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA=
Shouldn't there be some more stuff there in the authority section, like an NSEC3 and RRSIG for mail.ic.fbi.gov?
The NSEC3 is there and it is correct. What is missing is the signature for the NSEC3. % nsec3hash BBAB 1 10 mail.ic.fbi.gov 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR (salt=BBAB, hash=1, iterations=10) % Mark
Am I missing something, or is it broken? The server says it's from Ultradns.
R's, John
Hi John;
I don't think you're alone on this! Ref this thread (an issue we ran into with accepting mail from ic.fbi.gov due to DNSSEC validation failure) from July[1].
Have done my best to get someone's attention to fix the issue, but so far no joy.
Ray
[1] https://lists.isc.org/pipermail/bind-users/2013-July/091140.html
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote:
I don't claim to be a big DNSSEC expert, but this looks just plain wrong to me, and unbound agrees, turning it into a SERVFAIL.
I heard back, seems like I found someone at the FBI who was able to explain the problem to Neustar (DNS software provider) who say they will fix it. R's, John
Le 03/09/2013 23:28, John Levine a écrit :
On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote:
I don't claim to be a big DNSSEC expert, but this looks just plain wrong to me, and unbound agrees, turning it into a SERVFAIL. I heard back, seems like I found someone at the FBI who was able to explain the problem to Neustar (DNS software provider) who say they will fix it.
So, what was the problem then? Cheers, mh
R's, John
In message <52265AA4.6000404@free.fr>, Michael Hallgren writes:
Le 03/09/2013 23:28, John Levine a écrit :
On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote:
I don't claim to be a big DNSSEC expert, but this looks just plain wrong to me, and unbound agrees, turning it into a SERVFAIL. I heard back, seems like I found someone at the FBI who was able to explain the problem to Neustar (DNS software provider) who say they will fix it.
So, what was the problem then?
The main problem is that no one is reading / following up email sent to the advertised contact address for fbi.gov (dns-admin@fbi.gov). This ultimately is a management problem within the FBI.
Cheers,
mh
R's, John
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
In article <52265AA4.6000404@free.fr> you write:
Le 03/09/2013 23:28, John Levine a écrit :
On Fri, Aug 30, 2013 at 10:27:36PM +0000, John Levine wrote:
I don't claim to be a big DNSSEC expert, but this looks just plain wrong to me, and unbound agrees, turning it into a SERVFAIL. I heard back, seems like I found someone at the FBI who was able to explain the problem to Neustar (DNS software provider) who say they will fix it.
So, what was the problem then?
What we said it was, missing signatures on some NODATA results.
I heard back, seems like I found someone at the FBI who was able to explain the problem to Neustar (DNS software provider) who say they will fix it.
Seems to be fixed now. Here's the formerly broken query, via unbound: ; <<>> DiG 9.8.3-P4 <<>> mail.ic.fbi.gov aaaa +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24041 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN AAAA ;; AUTHORITY SECTION: fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013090301 7200 3600 2592000 43200 fbi.gov. 600 IN RRSIG SOA 7 2 600 20131202142044 20130903142044 32497 fbi.gov. lGgY8jWxYyxqi/pezCXZpSnY7B2UqDTvOQMrxt+REnd7rCHs2qU2U5k3 qnfAOVbPr2lEOVaChT9i+tElTQNfZxrmg0DvR+Nluj9DBD6kfwPnGdOT iBZJvrEhNsq5fY0DJ3jF7RMzr9YtA+Jl1T6bM+aWiUgXn9zvFT39+ReJ vA0= 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 41250 IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 41250 IN RRSIG NSEC3 7 3 43200 20131202142044 20130903142044 32497 fbi.gov. ZqMr4lUifz0n46YCL/s/qa3iMp0Hz8OhIuYC/uDgWzwPJsD26VTECG0G aG4xWUlmumfm6GLMppo07keXa273bsJEYXgXVhTEWHMbDqrc5xhBPykG C53E8N36dcmzdnfN+v7cVnwWXdPOKMrIBPrZhBuHD2qT0QepAgdo8Aoa lgQ= ;; Query time: 161 msec ;; SERVER: 192.168.80.2#53(192.168.80.2) ;; WHEN: Mon Sep 9 09:41:43 2013 ;; MSG SIZE rcvd: 509
participants (4)
-
John Levine
-
Mark Andrews
-
Michael Hallgren
-
Ray Van Dolson