[outages] NIST (time.nist.gov, etc) DNSSEC bogus

Stephane Bortzmeyer bortzmeyer at nic.fr
Fri Aug 26 05:03:16 EDT 2016


Several NIST services such as time.nist.gov or www.nist.gov are not
reachable if you use a DNSSEC-validating resolver (as you
should). These names are aliases to something under the broken zone
glb.nist.gov. There are four DS in nist.gov for glb.nist.gov, 56334,
7398, 56900 and 21797. There are four DNSKEY in nist.gov, 31787,
20630, 38289 and 60249. As you can see there is not one key in
common... As a result, everything under glb.nist.gov SERVFAILs since
at least 2016-08-25 17:27:40 UTC.

Also, there is no email in the SOA of nist.gov and the whois of .gov
is not informative :-(

Here is a test by the RIPE Atlas probes in the USA. 28 % of the probes
cannot resolve time.nist.gov because they get
the SERVFAIL:

% atlas-resolve -r 500 -c US time.nist.gov
[ERROR: FORMERR] : 5 occurrences
[216.228.192.69] : 3 occurrences
[TIMEOUT(S)] : 11 occurrences
[131.107.13.100] : 9 occurrences
[64.113.32.5] : 2 occurrences
[128.138.140.44] : 2 occurrences
[132.163.4.101] : 6 occurrences
[132.163.4.102] : 8 occurrences
[132.163.4.103] : 12 occurrences
[128.138.141.172] : 34 occurrences
[24.56.178.140] : 193 occurrences
[129.6.15.30] : 4 occurrences
[216.229.0.179] : 48 occurrences
[129.6.15.28] : 5 occurrences
[129.6.15.27] : 8 occurrences
[ERROR: SERVFAIL] : 143 occurrences
Test #4699376 done at 2016-08-26T08:44:13Z

And here is a test with the popular public resolver Google Public DNS:

% dig @8.8.8.8 A time.nist.gov

; <<>> DiG 9.10.3-P4-Debian <<>> @8.8.8.8 A time.nist.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35848
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;time.nist.gov.         IN A

;; Query time: 2 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 26 10:50:48 CEST 2016
;; MSG SIZE  rcvd: 42

And here with online DNS testing services:

http://dnsviz.net/d/glb.nist.gov/V78qjA/dnssec/
https://zonemaster.net/test/2e7cf7509e346b82



More information about the Outages mailing list