Hi Marc, Yes, on my DNS server, if I do a dig @8.8.8.8, I got answer (with AD bit set). I also do a dig @pac1.nipr.mil, I got answer (with AA bit set).
However, when I do dig @localhost, that is where I don't get any result at all. All the DNSSEC tools out there, like dnsviz.net, dnsstuff.com, dnscheck.iis.se, they all show DNSSEC error for uscg.mil. Linh Khuu Network Security Specialist Northrop Grumman IS | Civil Systems Division (CSD) Office: 410-965-0746 Pager: 443-847-7551 Email: linh.k...@ssa.gov<mailto:linh.k...@ssa.gov> From: Marc Lampo [mailto:marc.lampo.i...@gmail.com] Sent: Thursday, November 14, 2013 1:16 PM To: Khuu, Linh Contractor Cc: Bind Users Mailing List Subject: Re: Does anyone have DNSSEC problem with uscg.mil Not at this moment : $ dig @8.8.8.8<http://8.8.8.8> mx uscg.mil<http://uscg.mil>. +dnssec ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8<http://8.8.8.8> mx uscg.mil<http://uscg.mil>. +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42506 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;uscg.mil<http://uscg.mil>. IN MX ;; ANSWER SECTION: uscg.mil<http://uscg.mil>. 8478 IN MX 40 smtp-gateway-4.uscg.mil<http://smtp-gateway-4.uscg.mil>. uscg.mil<http://uscg.mil>. 8478 IN MX 40 smtp-gateway-4a.uscg.mil<http://smtp-gateway-4a.uscg.mil>. uscg.mil<http://uscg.mil>. 8478 IN MX 10 smtp-gateway-2.uscg.mil<http://smtp-gateway-2.uscg.mil>. uscg.mil<http://uscg.mil>. 8478 IN MX 20 smtp-gateway-5a.uscg.mil<http://smtp-gateway-5a.uscg.mil>. uscg.mil<http://uscg.mil>. 8478 IN MX 10 smtp-gateway-1.uscg.mil<http://smtp-gateway-1.uscg.mil>. uscg.mil<http://uscg.mil>. 8478 IN MX 20 smtp-gateway-5.uscg.mil<http://smtp-gateway-5.uscg.mil>. uscg.mil<http://uscg.mil>. 8478 IN MX 10 smtp-gateway-1a.uscg.mil<http://smtp-gateway-1a.uscg.mil>. uscg.mil<http://uscg.mil>. 8478 IN MX 10 smtp-gateway-2a.uscg.mil<http://smtp-gateway-2a.uscg.mil>. uscg.mil<http://uscg.mil>. 8478 IN RRSIG MX 7 2 86400 20131118074336 20131113074105 53369 uscg.mil<http://uscg.mil>. F... Observe : AD bit set. Kind regards, On Thu, Nov 14, 2013 at 7:00 PM, Khuu, Linh Contractor <linh.k...@ssa.gov<mailto:linh.k...@ssa.gov>> wrote: Hi, Does anyone have any DNSSEC problem with uscg.mil<http://uscg.mil>. On our DNS servers, we have seen broken trust chain error and the validation failed. 14-Nov-2013 12:57:37.486 lame-servers: error (broken trust chain) resolving 'uscg.mil/A/IN<http://uscg.mil/A/IN>': 199.211.218.6#53 14-Nov-2013 12:57:37.573 lame-servers: error (broken trust chain) resolving 'uscg.mil/A/IN<http://uscg.mil/A/IN>': 199.211.218.6#53 14-Nov-2013 12:57:37.658 lame-servers: error (broken trust chain) resolving 'uscg.mil/MX/IN<http://uscg.mil/MX/IN>': 199.211.218.6#53 14-Nov-2013 12:57:37.743 lame-servers: error (broken trust chain) resolving 'uscg.mil/MX/IN<http://uscg.mil/MX/IN>': 199.211.218.6#53 14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> AAAA: in authvalidated 14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> AAAA: authvalidated: got broken trust chain 14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> AAAA: resuming nsecvalidate 14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> A: starting 14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> A: attempting positive response validation 14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> A: in fetch_callback_validator 14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> A: fetch_callback_validator: got failure 14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> MX: starting 14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> MX: attempting positive response validation 14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> MX: in fetch_callback_validator 14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.mil<http://uscg.mil> MX: fetch_callback_validator: got failure Thanks, Linh Khuu Network Security Specialist Northrop Grumman IS | Civil Systems Division (CSD) Office: 410-965-0746<tel:410-965-0746> Pager: 443-847-7551<tel:443-847-7551> Email: linh.k...@ssa.gov<mailto:linh.k...@ssa.gov> _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users