Is the FBI's DNSSEC broken?

Mailman List Mirror (Read Only)
1

I don't claim to be a big DNSSEC expert, but this looks just plain wrong
to me, and unbound agrees, turning it into a SERVFAIL.

Here's a lookup that succeeds, an A record for mail.ic.fbi.gov:

$ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65235
;; QUESTION SECTION:
;mail.ic.fbi.gov. IN A

;; ANSWER SECTION:
mail.ic.fbi.gov. 600 IN A 153.31.119.142
mail.ic.fbi.gov. 600 IN RRSIG A 7 4 600 20131124123847 20130826123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiGryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IRb3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU=

;; AUTHORITY SECTION:
fbi.gov. 600 IN NS ns3.fbi.gov.
fbi.gov. 600 IN NS ns5.fbi.gov.
fbi.gov. 600 IN NS ns4.fbi.gov.
fbi.gov. 600 IN NS ns2.fbi.gov.
fbi.gov. 600 IN NS ns1.fbi.gov.
fbi.gov. 600 IN NS ns6.fbi.gov.
fbi.gov. 600 IN RRSIG NS 7 2 600 20131124123847 20130826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0DhZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYccR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY=

Here's a query for the same name, but for AAAA which it doesn't have:

$ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec

; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65235
;; QUESTION SECTION:
;mail.ic.fbi.gov. IN AAAA

;; AUTHORITY SECTION:
fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013082601 7200 3600 2592000 43200
95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200 IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG
fbi.gov. 600 IN RRSIG SOA 7 2 600 20131124123847 20130826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MMc9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA=

Shouldn't there be some more stuff there in the authority section, like an NSEC3 and RRSIG
for mail.ic.fbi.gov?

Am I missing something, or is it broken? The server says it's from Ultradns.

R's,
John

2

Hi John;

I don't think you're alone on this! Ref this thread (an issue we ran
into with accepting mail from ic.fbi.gov due to DNSSEC validation
failure) from July[1].

Have done my best to get someone's attention to fix the issue, but so
far no joy.

Ray

[1] https://lists.isc.org/pipermail/bind-users/2013-July/091140.html

3

> I don't claim to be a big DNSSEC expert, but this looks just plain
> wrong to me, and unbound agrees, turning it into a SERVFAIL.
>
> Here's a lookup that succeeds, an A record for mail.ic.fbi.gov:
>
> $ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7222
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 65235
> ;; QUESTION SECTION:
> ;mail.ic.fbi.gov. IN A
>
> ;; ANSWER SECTION:
> mail.ic.fbi.gov. 600 IN A 153.31.119.142
> mail.ic.fbi.gov. 600 IN RRSIG A 7 4 600 20131124123847 201308
26123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiG
ryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IR
b3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU=
>
> ;; AUTHORITY SECTION:
> fbi.gov. 600 IN NS ns3.fbi.gov.
> fbi.gov. 600 IN NS ns5.fbi.gov.
> fbi.gov. 600 IN NS ns4.fbi.gov.
> fbi.gov. 600 IN NS ns2.fbi.gov.
> fbi.gov. 600 IN NS ns1.fbi.gov.
> fbi.gov. 600 IN NS ns6.fbi.gov.
> fbi.gov. 600 IN RRSIG NS 7 2 600 20131124123847 20130
826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0Dh
ZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYc
cR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY=
>
> Here's a query for the same name, but for AAAA which it doesn't have:
>
> $ dig @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
>
> ; <<>> DiG 9.8.3-P4 <<>> @ns1.fbi.gov mail.ic.fbi.gov aaaa +dnssec
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41056
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 65235
> ;; QUESTION SECTION:
> ;mail.ic.fbi.gov. IN AAAA
>
> ;; AUTHORITY SECTION:
> fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov.
2013082601 7200 3600 2592000 43200
> 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200 IN NSEC3 1 0 10 BBAB 97
S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG
> fbi.gov. 600 IN RRSIG SOA 7 2 600 20131124123847 2013
0826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV
26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MM
c9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA=
>
> Shouldn't there be some more stuff there in the authority section,
> like an NSEC3 and RRSIG for mail.ic.fbi.gov?

The NSEC3 is there and it is correct. What is missing is the
signature for the NSEC3.

% nsec3hash BBAB 1 10 mail.ic.fbi.gov
95RIPFTKTJC9I7J8HDAIA7CM6L279FSR (salt=BBAB, hash=1, iterations=10)
%

Mark

4

I heard back, seems like I found someone at the FBI who was able to
explain the problem to Neustar (DNS software provider) who say they
will fix it.

R's,
John

5

I don't claim to be a big DNSSEC expert, but this looks just plain
wrong to me, and unbound agrees, turning it into a SERVFAIL.

I heard back, seems like I found someone at the FBI who was able to
explain the problem to Neustar (DNS software provider) who say they
will fix it.

So, what was the problem then?

Cheers,

mh

6

>>>> I don't claim to be a big DNSSEC expert, but this looks just plain
>>>> wrong to me, and unbound agrees, turning it into a SERVFAIL.
> I heard back, seems like I found someone at the FBI who was able to
> explain the problem to Neustar (DNS software provider) who say they
> will fix it.

So, what was the problem then?

The main problem is that no one is reading / following up email
sent to the advertised contact address for fbi.gov (dns-admin@fbi.gov).

This ultimately is a management problem within the FBI.

7

In article <52265AA4.6000404@free.fr> you write:

8

I heard back, seems like I found someone at the FBI who was able to
explain the problem to Neustar (DNS software provider) who say they
will fix it.

Seems to be fixed now. Here's the formerly broken query, via unbound:

; <<>> DiG 9.8.3-P4 <<>> mail.ic.fbi.gov aaaa +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24041
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mail.ic.fbi.gov. IN AAAA

;; AUTHORITY SECTION:
fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013090301 7200 3600 2592000 43200
fbi.gov. 600 IN RRSIG SOA 7 2 600 20131202142044 20130903142044 32497 fbi.gov. lGgY8jWxYyxqi/pezCXZpSnY7B2UqDTvOQMrxt+REnd7rCHs2qU2U5k3 qnfAOVbPr2lEOVaChT9i+tElTQNfZxrmg0DvR+Nluj9DBD6kfwPnGdOT iBZJvrEhNsq5fY0DJ3jF7RMzr9YtA+Jl1T6bM+aWiUgXn9zvFT39+ReJ vA0=
95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 41250 IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG
95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 41250 IN RRSIG NSEC3 7 3 43200 20131202142044 20130903142044 32497 fbi.gov. ZqMr4lUifz0n46YCL/s/qa3iMp0Hz8OhIuYC/uDgWzwPJsD26VTECG0G aG4xWUlmumfm6GLMppo07keXa273bsJEYXgXVhTEWHMbDqrc5xhBPykG C53E8N36dcmzdnfN+v7cVnwWXdPOKMrIBPrZhBuHD2qT0QepAgdo8Aoa lgQ=

;; Query time: 161 msec
;; SERVER: 192.168.80.2#53(192.168.80.2)
;; WHEN: Mon Sep 9 09:41:43 2013
;; MSG SIZE rcvd: 509