Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Ray Van Dolson
Hello; Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version -- bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving ic.fbi.gov that seems to be DNSSEC related. Am fairly certain of this because if I set dnssec-enable and dnssec-validation to no (have them at 'yes'

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Sten Carlsen
From here i see a fast response using the local server: ~ $ dig ic.fbi.gov ; DiG 9.7.6-P1 ic.fbi.gov ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: _/*NOERROR*/_, id: 2421 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION:

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Michael Sinatra
It appears to me that the NSEC3 record that is denying the existence of the DS record for ic.fbi.gov does not have a corresponding RRSIG. That's based on a fairly cursory glance. This seems to be the case for all of the NSEC3 records in fbi.gov. Something's messed up in fbi.gov. michael PS:

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Bill Owens
On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote: Hello; Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version -- bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving ic.fbi.gov that seems to be DNSSEC related. Am fairly certain of this because if

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Ray Van Dolson
On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote: On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote: Hello; Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version -- bind-9.8.2-0.17.rc1) and trying to troubleshoot an issue resolving ic.fbi.gov that

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Lawrence K. Chen, P.Eng.
- Original Message - On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote: On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote: Hello; Running BIND 9.8.2 in RHEL6 (at the latest vendor provided version -- bind-9.8.2-0.17.rc1) and trying to troubleshoot

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Mark Andrews
In message 1673423961.50595218.1374096753729.javamail.r...@k-state.edu, Lawr ence K. Chen, P.Eng. writes: - Original Message - On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote: On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van Dolson wrote: Hello; Running

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Michael Sinatra
On 7/17/13 2:38 PM, Mark Andrews wrote: In message 1673423961.50595218.1374096753729.javamail.r...@k-state.edu, Lawr ence K. Chen, P.Eng. writes: - Original Message - On Wed, Jul 17, 2013 at 01:58:25PM -0400, Bill Owens wrote: On Wed, Jul 17, 2013 at 09:49:18AM -0700, Ray Van

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Mark Andrews
In message 51e712e5.60...@rancid.berkeley.edu, Michael Sinatra writes: On 7/17/13 2:38 PM, Mark Andrews wrote: In message 1673423961.50595218.1374096753729.javamail.r...@k-state.edu, Lawr ence K. Chen, P.Eng. writes: - Original Message - On Wed, Jul 17, 2013 at

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

2013-07-17 Thread Ray Van Dolson
On Wed, Jul 17, 2013 at 02:55:49PM -0700, Michael Sinatra wrote: Try contacting dotgov.gov regist...@dotgov.gov or 877-734-4688 or 703-948-0723 They'll have phone numbers for the people they need to contact for fbi.gov to get things fixed. Which would not be required if .gov