Hello, dnsstuff.com gives me all green for DNSSEC of uscg.mil. dnsviz.net gives warnings (not : errors) on all RRSIG's - something with TTL values.
What is odd - but should not be fatal - is that uscg.mil authoritative name servers send replies with "strange" TTL values. 1) uscg.mil. 77481 IN MX 40 smtp-gateway-4.uscg.mil. 2) uscg.mil. 77439 IN MX 40 smtp-gateway-4.uscg.mil. --> TTL is decreasing for that RR (strangely enough, TTL does not decrease for other RR's in the RRset, and consequently : different the one shown above) Now the RRSIG over the MX RRset says the TTL in the zone file is 86400 : uscg.mil. 80850 IN RRSIG MX 7 2 86400 ... Although weird : 1) TTL values of all RR's in the RRset should be identical 2) the authoritative name server partly behaves like it were replying from cache these abnormalities should not be fatal, in my opinion. I wonder what kind of name servers uscg.mil uses ? Kind regards, On Thu, Nov 14, 2013 at 7:22 PM, Khuu, Linh Contractor <linh.k...@ssa.gov>wrote: > *Hi Marc,* > > > > *Yes, on my DNS server, if I do a dig @8.8.8.8 <http://8.8.8.8>, I got > answer (with AD bit set). I also do a dig @pac1.nipr.mil > <http://pac1.nipr.mil>, I got answer (with AA bit set).* > > > > *However, when I do dig @localhost, that is where I don’t get any result > at all.* > > > > *All the DNSSEC tools out there, like dnsviz.net <http://dnsviz.net>, > dnsstuff.com <http://dnsstuff.com>, dnscheck.iis.se > <http://dnscheck.iis.se>, they all show DNSSEC error for uscg.mil > <http://uscg.mil>.* > > > > > > > > > *Linh KhuuNetwork Security SpecialistNorthrop Grumman IS | Civil Systems > Division (CSD)Office: 410-965-0746 <410-965-0746>Pager: 443-847-7551 > <443-847-7551>Email: linh.k...@ssa.gov <linh.k...@ssa.gov>* > > > > *From:* Marc Lampo [mailto:marc.lampo.i...@gmail.com] > *Sent:* Thursday, November 14, 2013 1:16 PM > *To:* Khuu, Linh Contractor > *Cc:* Bind Users Mailing List > *Subject:* Re: Does anyone have DNSSEC problem with uscg.mil > > > > Not at this moment : > $ dig @8.8.8.8 mx uscg.mil. +dnssec > > ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8 mx uscg.mil. +dnssec > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42506 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 512 > ;; QUESTION SECTION: > ;uscg.mil. IN MX > > ;; ANSWER SECTION: > uscg.mil. 8478 IN MX 40 smtp-gateway-4.uscg.mil > . > uscg.mil. 8478 IN MX 40 > smtp-gateway-4a.uscg.mil. > uscg.mil. 8478 IN MX 10 smtp-gateway-2.uscg.mil > . > uscg.mil. 8478 IN MX 20 > smtp-gateway-5a.uscg.mil. > uscg.mil. 8478 IN MX 10 smtp-gateway-1.uscg.mil > . > uscg.mil. 8478 IN MX 20 smtp-gateway-5.uscg.mil > . > uscg.mil. 8478 IN MX 10 > smtp-gateway-1a.uscg.mil. > uscg.mil. 8478 IN MX 10 > smtp-gateway-2a.uscg.mil. > uscg.mil. 8478 IN RRSIG MX 7 2 86400 > 20131118074336 20131113074105 53369 uscg.mil. F... > > Observe : AD bit set. > > Kind regards, > > > > On Thu, Nov 14, 2013 at 7:00 PM, Khuu, Linh Contractor <linh.k...@ssa.gov> > wrote: > > Hi, > > Does anyone have any DNSSEC problem with uscg.mil. > > On our DNS servers, we have seen broken trust chain error and the > validation failed. > > 14-Nov-2013 12:57:37.486 lame-servers: error (broken trust chain) > resolving 'uscg.mil/A/IN': 199.211.218.6#53 > 14-Nov-2013 12:57:37.573 lame-servers: error (broken trust chain) > resolving 'uscg.mil/A/IN': 199.211.218.6#53 > 14-Nov-2013 12:57:37.658 lame-servers: error (broken trust chain) > resolving 'uscg.mil/MX/IN': 199.211.218.6#53 > 14-Nov-2013 12:57:37.743 lame-servers: error (broken trust chain) > resolving 'uscg.mil/MX/IN': 199.211.218.6#53 > > 14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.milAAAA: > in authvalidated > 14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.milAAAA: > authvalidated: got broken trust chain > 14-Nov-2013 12:58:12.878 dnssec: debug 3: validating @23cee638: uscg.milAAAA: > resuming nsecvalidate > 14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.milA: > starting > 14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.milA: > attempting positive response validation > 14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.milA: in > fetch_callback_validator > 14-Nov-2013 12:58:13.058 dnssec: debug 3: validating @23cee638: uscg.milA: > fetch_callback_validator: got failure > 14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.milMX: > starting > 14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.milMX: > attempting positive response validation > 14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.milMX: > in fetch_callback_validator > 14-Nov-2013 12:58:13.233 dnssec: debug 3: validating @23cee638: uscg.milMX: > fetch_callback_validator: got failure > > Thanks, > Linh Khuu > Network Security Specialist > Northrop Grumman IS | Civil Systems Division (CSD) > Office: 410-965-0746 > Pager: 443-847-7551 > Email: linh.k...@ssa.gov > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users