We're seeing issues deliving email to certain .mil domains. MX hosts for these domains are not responding on port 25 and have verified from off-network as well. Anyone else seeing the same or can point me to a technical POC to start with? navy.mil, usmc.mil, uscg.mil are just a few that seem to be having issues. Ray
On Mon, Oct 27, 2014 at 10:52:07AM -0700, Ray Van Dolson wrote:
We're seeing issues deliving email to certain .mil domains. MX hosts for these domains are not responding on port 25 and have verified from off-network as well.
Anyone else seeing the same or can point me to a technical POC to start with?
navy.mil, usmc.mil, uscg.mil are just a few that seem to be having issues.
When we (state gummint) had trouble delivering work-related mail to some .mil addresses in our state, I found that the best way was to look up the contacts on the installation's website, make a phone call, and ask for the IT people. We found that sometimes they shut mail down, sometimes higher HQ publish an overly wide firewall block list, and sometimes Stuff Just Happens. YMMV, as always. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin
Those all appear to be going through DISA's Enterprise Email system. http://www.disa.mil/Services/Computing/~/media/Files/DISA/Services/Computing... If they don't have an option specifically for Enterprise Email, try contacting the extension for Oklahoma City. ----------------------------------------------------------------------------------------------- -ITG (ITechGeek) ITG@ITechGeek.Com https://itg.nu/ GPG Keys: https://itg.nu/contact/gpg-key Preferred GPG Key: Fingerprint: AB46B7E363DA7E04ABFA57852AA9910A DCB1191A Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook: http://fb.me/Jbwa.Net On Mon, Oct 27, 2014 at 2:23 PM, Mike A <mikea@mikea.ath.cx> wrote:
On Mon, Oct 27, 2014 at 10:52:07AM -0700, Ray Van Dolson wrote:
We're seeing issues deliving email to certain .mil domains. MX hosts for these domains are not responding on port 25 and have verified from off-network as well.
Anyone else seeing the same or can point me to a technical POC to start with?
navy.mil, usmc.mil, uscg.mil are just a few that seem to be having issues.
When we (state gummint) had trouble delivering work-related mail to some .mil addresses in our state, I found that the best way was to look up the contacts on the installation's website, make a phone call, and ask for the IT people.
We found that sometimes they shut mail down, sometimes higher HQ publish an overly wide firewall block list, and sometimes Stuff Just Happens.
YMMV, as always.
-- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin
You sure it's not a DNS issue? I've had problems resolving various *.disa.mil sites today. Google DNS claims they don't exist. Chuck -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ray Van Dolson Sent: Monday, October 27, 2014 1:52 PM To: nanog@nanog.org Subject: .mil postmaster Contacts? We're seeing issues deliving email to certain .mil domains. MX hosts for these domains are not responding on port 25 and have verified from off-network as well. Anyone else seeing the same or can point me to a technical POC to start with? navy.mil, usmc.mil, uscg.mil are just a few that seem to be having issues. Ray
It *might* have been. Things cleared up yesterday. I initially thought it was the result of disabling DNSSEC on our primary resolvers, but am less certain that was the "fix" now as I don't see any issues with their config (per dnsviz). Ray On Mon, Oct 27, 2014 at 09:03:15PM -0400, Chuck Church wrote:
You sure it's not a DNS issue? I've had problems resolving various *.disa.mil sites today. Google DNS claims they don't exist.
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ray Van Dolson Sent: Monday, October 27, 2014 1:52 PM To: nanog@nanog.org Subject: .mil postmaster Contacts?
We're seeing issues deliving email to certain .mil domains. MX hosts for these domains are not responding on port 25 and have verified from off-network as well.
Anyone else seeing the same or can point me to a technical POC to start with?
navy.mil, usmc.mil, uscg.mil are just a few that seem to be having issues.
Ray
On 10/27/14 21:03, Chuck Church wrote:
You sure it's not a DNS issue? I've had problems resolving various *.disa.mil sites today. Google DNS claims they don't exist.
Chuck
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Ray Van Dolson Sent: Monday, October 27, 2014 1:52 PM To: nanog@nanog.org Subject: .mil postmaster Contacts?
We're seeing issues deliving email to certain .mil domains. MX hosts for these domains are not responding on port 25 and have verified from off-network as well.
Anyone else seeing the same or can point me to a technical POC to start with?
navy.mil, usmc.mil, uscg.mil are just a few that seem to be having issues.
Ray Might be related to the news (CNN this morning) about the WH network being exploited for a few days now.
They might be going after some .mil to and the tightening up of those networks may cause disruption.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Alain Hebert Sent: Wednesday, October 29, 2014 9:14 AM To: nanog@nanog.org Subject: Re: .mil postmaster Contacts?
Might be related to the news (CNN this morning) about the WH network being exploited for a few days now. They might be going after some .mil to and the tightening up of those networks may cause disruption.
I think it has to do with DNSSEC. The google DNS FAQ mentions (along with someone else who emailed me off-list) checking DNSVIZ for issues. So looking at: http://dnsviz.net/d/disa.mil/dnssec/ seems to indicate some issues. RRSET TTL MISMATCH I think they all are. Any DISA people on here? Using a non-Google DNS (which I guess isn't doing DNSSEC validation) does resolve the names fine. Chuck
On Wed, Oct 29, 2014 at 10:43:34AM -0400, Chuck Church wrote:
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Alain Hebert Sent: Wednesday, October 29, 2014 9:14 AM To: nanog@nanog.org Subject: Re: .mil postmaster Contacts?
Might be related to the news (CNN this morning) about the WH network being exploited for a few days now. They might be going after some .mil to and the tightening up of those networks may cause disruption.
I think it has to do with DNSSEC. The google DNS FAQ mentions (along with someone else who emailed me off-list) checking DNSVIZ for issues. So looking at: http://dnsviz.net/d/disa.mil/dnssec/
seems to indicate some issues. RRSET TTL MISMATCH I think they all are. Any DISA people on here? Using a non-Google DNS (which I guess isn't doing DNSSEC validation) does resolve the names fine.
Chuck
I saw the same errors in dnsviz, but was unsure if they were sufficient to cause lookup failures (they were "warnings" only). # dig @8.8.8.8 disa.mil MX +dnssec ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 disa.mil MX +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9111 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;disa.mil. IN MX ;; ANSWER SECTION: disa.mil. 20039 IN MX 5 indal.disa.mil. disa.mil. 20039 IN MX 0 pico.disa.mil. disa.mil. 20039 IN MX 10 dnipro.disa.mil. disa.mil. 20039 IN RRSIG MX 8 2 86400 20141121222228 20141022222228 40608 disa.mil. lC2W9knYgviYJUKMYw9FJueUk4cR19spu7QsX3novmYrlOI70F0Rrzxm adU17tvfq1vbtzgYH0FriGIMdywPu/ssO7mK4KGhDj7pkQCcJZzlbrMe OlJOcC9mQcjgb6nt5KREBaIGzTGY0gA7AM6X2Ft/t9ZdsE/K+jNejgEc 4+M= I see the "ad" flag in the query response flags, so am thinking this lookup succeeded and was validated? I do note that once we disabled DNSSEC on our resolvers we were able to push mail out to these domains. May have been coincidental -- needs further testing. Ray
Well the servers for DISA.MIL are not EDNS compliant, they drop EDNS version 1 queries and unless you are running a experimental nameserver which expects EDNS version negotiation to work it shouldn't be causing you issues yet. Otherwise the lookups of the MX records succeed. There is no good reason to block EDNS version 1 queries. All it does is break EDNS version negotiation. Mark In message <20141029150034.GA25731@esri.com>, Ray Van Dolson writes:
On Wed, Oct 29, 2014 at 10:43:34AM -0400, Chuck Church wrote:
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Alain Hebert Sent: Wednesday, October 29, 2014 9:14 AM To: nanog@nanog.org Subject: Re: .mil postmaster Contacts?
Might be related to the news (CNN this morning) about the WH network bein
g
exploited for a few days now.
They might be going after some .mil to and the tightening up of those networks may cause disruption.
I think it has to do with DNSSEC. The google DNS FAQ mentions (along with someone else who emailed me off-list) checking DNSVIZ for issues. So looking at: http://dnsviz.net/d/disa.mil/dnssec/
seems to indicate some issues. RRSET TTL MISMATCH I think they all are. Any DISA people on here? Using a non-Google DNS (which I guess isn't doing DNSSEC validation) does resolve the names fine.
Chuck
I saw the same errors in dnsviz, but was unsure if they were sufficient to cause lookup failures (they were "warnings" only).
# dig @8.8.8.8 disa.mil MX +dnssec
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 disa.mil MX + dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9111 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;disa.mil. IN MX
;; ANSWER SECTION: disa.mil. 20039 IN MX 5 indal.disa.mil. disa.mil. 20039 IN MX 0 pico.disa.mil. disa.mil. 20039 IN MX 10 dnipro.disa.mil. disa.mil. 20039 IN RRSIG MX 8 2 86400 20141121222228 2 0141022222228 40608 disa.mil. lC2W9knYgviYJUKMYw9FJueUk4cR19spu7QsX3novmYrlOI 70F0Rrzxm adU17tvfq1vbtzgYH0FriGIMdywPu/ssO7mK4KGhDj7pkQCcJZzlbrMe OlJOcC9mQc jgb6nt5KREBaIGzTGY0gA7AM6X2Ft/t9ZdsE/K+jNejgEc 4+M=
I see the "ad" flag in the query response flags, so am thinking this lookup succeeded and was validated?
I do note that once we disabled DNSSEC on our resolvers we were able to push mail out to these domains. May have been coincidental -- needs further testing.
Ray -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
participants (6)
-
Alain Hebert
-
Chuck Church
-
ITechGeek
-
Mark Andrews
-
Mike A
-
Ray Van Dolson