[nsp-sec] DNSSEC for epa.gov

Jason Gardiner gardiner at direcpath.com
Tue Aug 16 18:48:20 EDT 2011 

On 8/16/2011 5:39 PM, Michael Sinatra wrote:
> On 08/16/11 13:21, Aaron Hughes wrote:
>> ----------- nsp-security Confidential --------
>>
>> Jason,
>>
>> I see Authenticated Data from them. Which server are you using to query?
>>
>> dig @packet.6connect.net +dnssec epa.gov | grep flags
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> I am also seeing proper validation, from es.net's validating servers, as 
> well as the caching nameserver running on my own workstation.  Dnsviz 
> also shows epa.gov looking good.
>
> In addition to Aaron's question, what record are you querying for?
>
>

Hrm...

Looks like it's something I haven't seen.  And is probably way out of
the scope of this list.  The host I'm trying to resolve is
webmail.epa.gov.  However, there is no A record for this host, only a
CNAME for v18h1drtay041.aa.ad.epa.gov.  I think there's a problem with
our resolvers.  But it does raise some interesting issues.

(iproute) /home/gardiner > host -t A webmail.epa.gov packet.6connect.net
;; connection timed out; no servers could be reached

(iproute) /home/gardiner > host webmail.epa.gov packet.6connect.net
;; connection timed out; no servers could be reached

(iproute) /home/gardiner > host -t CNAME webmail.epa.gov packet.6connect.net
Using domain server:
Name: packet.6connect.net
Address: 2600:3c01::f03c:91ff:fe93:957f#53
Aliases:

webmail.epa.gov is an alias for v18h1drtay041.aa.ad.epa.gov.

(iproute) /home/gardiner > host -t ANY webmail.epa.gov packet.6connect.net
Using domain server:
Name: packet.6connect.net
Address: 2600:3c01::f03c:91ff:fe93:957f#53
Aliases:

webmail.epa.gov has RRSIG record CNAME 7 3 43200 20110915042054
20110816042054 767 epa.gov.
IHX2Cre8oYz7Z67Svju5zYNz4M4hBhTmdOJ7505mgCvNHoPwD0KNxu7x
UfOLFfvEi6wBx9j1HKjsNhkt7vMJjnehfO1utiOm4GC1cP7FyQOWVLb7
4m5uxUf+45sckb9nhPWEpgRQgDiMwU66pZYR+qZECaDbvyYCj9e6qULw 7Bg=
webmail.epa.gov is an alias for v18h1drtay041.aa.ad.epa.gov.



It appears that certain programs may default to performing an A query
and DNSSEC is returning a SERVFAIL if there is no record instead of an
NXDOMAIN.  So I'm guessing that fallback to other query types is
problematic in DNSSEC and the type should be set to ANY?

At any rate, I'd love comments, questions and suggestions off-list.


-- 
Thanks,

Jason Gardiner
Director, Network Engineering
DirecPath, LLC

w. 404.961.7024
c. 404.557.4007

More information about the nsp-security mailing list