We're seeing issues deliving email to certain .mil domains. MX hosts
for these domains are not responding on port 25 and have verified from
off-network as well.
Anyone else seeing the same or can point me to a technical POC to start
with?
navy.mil, usmc.mil, uscg.mil are just a few that seem to be having
issues.
Ray
When we (state gummint) had trouble delivering work-related mail to some .mil
addresses in our state, I found that the best way was to look up the contacts
on the installation's website, make a phone call, and ask for the IT people.
We found that sometimes they shut mail down, sometimes higher HQ publish an
overly wide firewall block list, and sometimes Stuff Just Happens.
YMMV, as always.
Those all appear to be going through DISA's Enterprise Email system.
If they don't have an option specifically for Enterprise Email, try
contacting the extension for Oklahoma City.
You sure it's not a DNS issue? I've had problems resolving various
*.disa.mil sites today. Google DNS claims they don't exist.
Chuck
It *might* have been. Things cleared up yesterday. I initially
thought it was the result of disabling DNSSEC on our primary resolvers,
but am less certain that was the "fix" now as I don't see any issues
with their config (per dnsviz).
Ray
Might be related to the news (CNN this morning) about the WH network
being exploited for a few days now.
They might be going after some .mil to and the tightening up of those
networks may cause disruption.
Might be related to the news (CNN this morning) about the WH network being
exploited for a few days now.
They might be going after some .mil to and the tightening up of those
networks may cause disruption.
I think it has to do with DNSSEC. The google DNS FAQ mentions (along with
someone else who emailed me off-list) checking DNSVIZ for issues. So
looking at:
http://dnsviz.net/d/disa.mil/dnssec/
seems to indicate some issues. RRSET TTL MISMATCH I think they all are.
Any DISA people on here? Using a non-Google DNS (which I guess isn't doing
DNSSEC validation) does resolve the names fine.
Chuck
I saw the same errors in dnsviz, but was unsure if they were sufficient
to cause lookup failures (they were "warnings" only).
# dig @8.8.8.8 disa.mil MX +dnssec
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 disa.mil MX +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9111
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;disa.mil. IN MX
;; ANSWER SECTION:
disa.mil. 20039 IN MX 5 indal.disa.mil.
disa.mil. 20039 IN MX 0 pico.disa.mil.
disa.mil. 20039 IN MX 10 dnipro.disa.mil.
disa.mil. 20039 IN RRSIG MX 8 2 86400 20141121222228 20141022222228 40608 disa.mil. lC2W9knYgviYJUKMYw9FJueUk4cR19spu7QsX3novmYrlOI70F0Rrzxm adU17tvfq1vbtzgYH0FriGIMdywPu/ssO7mK4KGhDj7pkQCcJZzlbrMe OlJOcC9mQcjgb6nt5KREBaIGzTGY0gA7AM6X2Ft/t9ZdsE/K+jNejgEc 4+M=
I see the "ad" flag in the query response flags, so am thinking this
lookup succeeded and was validated?
I do note that once we disabled DNSSEC on our resolvers we were able to
push mail out to these domains. May have been coincidental -- needs
further testing.
Ray
Well the servers for DISA.MIL are not EDNS compliant, they drop
EDNS version 1 queries and unless you are running a experimental
nameserver which expects EDNS version negotiation to work it shouldn't
be causing you issues yet. Otherwise the lookups of the MX records
succeed.
There is no good reason to block EDNS version 1 queries. All it
does is break EDNS version negotiation.
Mark