On 7/17/13 2:38 PM, Mark Andrews wrote: > > In message <1673423961.50595218.1374096753729.javamail.r...@k-state.edu>, > "Lawr > ence K. Chen, P.Eng." writes: >> >> >> ----- Original Message ----- >>> On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote: >>>> On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote: >>>>> Hello; >>>>> >>>>> Running BIND 9.8.2 in RHEL6 (at the latest vendor provided >>>>> version -- >>>>> bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue >>>>> resolving >>>>> ic.fbi.gov that seems to be DNSSEC related. >>>>> >>>>> Am fairly certain of this because if I set dnssec-enable and >>>>> dnssec-validation to no (have them at 'yes' normally), resolution >>>>> succeeds. >>>>> >>>>> If I run a dig @nameserver ic.fbi.gov from a client machine, dig >>>>> just >>>>> hangs for a bit then eventually times out. dig @nameserver >>>>> fbi.gov >>>>> works fine.... >>>> >>>> This is one of the weirder ones I've seen. . . there are TXT and MX >>>> records for ic.fbi.gov, both correctly signed: >>>> >>>> ;; ANSWER SECTION: >>>> ic.fbi.gov. 261 IN RRSIG MX 7 3 600 20131014154120 >>>> 20130716154120 32497 fbi.gov. >>>> kuorwabpVJ5QJqPhInJXhAQZgCSbB/xT6A7lkvoqJck5EBzn62UANtMk >>>> mYVcNNXXJUWPZATKbldsCbluos8NJyE33vdRft/I7+YRCgUsJ/ZFSmdR >>>> OknrSTQbc8M4YzvclEKVRuDBu5P8wuufmWWqNtXl+vrUgTo97CE9EYQ7 CJw= >>>> ic.fbi.gov. 261 IN MX 10 mail.ic.fbi.gov. >>>> ic.fbi.gov. 261 IN RRSIG TXT 7 3 600 20131014154120 >>>> 20130716154120 32497 fbi.gov. >>>> iWlwUHl1KrUopGu6ixdCoNyquco3UNaip8cFONOpHNo8p/KjEYmiDyhL >>>> z2DWslNwbUuvh/nConYy86clgPZB3Q9MaxuhMNbiZCpsRPds98Yh+Fbg >>>> 4U3WDRy+ww8DFLpozZc+3gBLYtcnS9UDtZOmNEjxEzDf6Zw5eyUfggpX nxY= >>>> ic.fbi.gov. 261 IN TXT "v=spf1 a mx ptr:mail.leo.gov >>>> mx:mail.ic.fbi.gov ip4:153.31.119.132 a:mail.leo.gov >>>> include:mail.leo.gov mx:mail.leo.gov ?all" >>>> >>>> There's also an NSEC3 record for ic.fbi.gov, asserting that there >>>> are >>>> only MX, TXT and RRSIG records for it: >>>> >>>> 7PLEGSLCCDFUBJ53UG8E19T9MH9HIP2B.fbi.gov. 370 IN NSEC3 1 0 10 BBAB >>>> 7PPJ5IC2PQQ5HTFGU7I2908P3DRN5FUO MX TXT RRSIG >>>> >>>> However, that NSEC3 record is not signed. If you ask for ic.fbi.gov >>>> with checking disabled but also request DNSSEC records, you'll get >>>> it. If you ask with checking enabled, you won't, because it can't >>>> be >>>> validated. This seems to be true for the whole fbi.gov zone, at >>>> least >>>> the records I checked. So any query to fbi.gov that returns a >>>> record >>>> will be okay, anything that doesn't will end up with a SERVFAIL. >>>> >>>> Bill. >>>> >>> >>> Thanks for the replies, all. Am trying to find a hostmaster contact >>> at >>> fbi.gov to make them aware. >>> >>> In the meantime, I'll convince Sendmail to not try to look up this >>> domain during sender verification. :) >>> >>> Ray >>> _______________________________________________ >> >> >> Try contacting dotgov.gov >> >> regist...@dotgov.gov or 877-734-4688 or 703-948-0723 >> >> They'll have phone numbers for the people they need to contact for fbi.gov to >> get things fixed. > > Which would not be required if .gov had a properly functioning whois. > Could all US residents on this list contact your Congress Critters > and complain about this stupidity.
The SOA RNAME should work: fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013071601 7200 3600 2592000 43200 fbi.gov's MX is resolvable down to an IP address, so mail should get through, depending on your MTA. michael _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users