nanog mailing list archives
Re: Is the FBI's DNSSEC no longer broken?
From: "John Levine" <johnl () iecc com>
Date: 9 Sep 2013 13:42:37 -0000
I heard back, seems like I found someone at the FBI who was able to explain the problem to Neustar (DNS software provider) who say they will fix it.
Seems to be fixed now. Here's the formerly broken query, via unbound: ; <<>> DiG 9.8.3-P4 <<>> mail.ic.fbi.gov aaaa +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24041 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN AAAA ;; AUTHORITY SECTION: fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013090301 7200 3600 2592000 43200 fbi.gov. 600 IN RRSIG SOA 7 2 600 20131202142044 20130903142044 32497 fbi.gov. lGgY8jWxYyxqi/pezCXZpSnY7B2UqDTvOQMrxt+REnd7rCHs2qU2U5k3 qnfAOVbPr2lEOVaChT9i+tElTQNfZxrmg0DvR+Nluj9DBD6kfwPnGdOT iBZJvrEhNsq5fY0DJ3jF7RMzr9YtA+Jl1T6bM+aWiUgXn9zvFT39+ReJ vA0= 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 41250 IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 41250 IN RRSIG NSEC3 7 3 43200 20131202142044 20130903142044 32497 fbi.gov. ZqMr4lUifz0n46YCL/s/qa3iMp0Hz8OhIuYC/uDgWzwPJsD26VTECG0G aG4xWUlmumfm6GLMppo07keXa273bsJEYXgXVhTEWHMbDqrc5xhBPykG C53E8N36dcmzdnfN+v7cVnwWXdPOKMrIBPrZhBuHD2qT0QepAgdo8Aoa lgQ= ;; Query time: 161 msec ;; SERVER: 192.168.80.2#53(192.168.80.2) ;; WHEN: Mon Sep 9 09:41:43 2013 ;; MSG SIZE rcvd: 509
Current thread:
- Re: Is the FBI's DNSSEC broken? John Levine (Sep 03)
- Re: Is the FBI's DNSSEC broken? Michael Hallgren (Sep 03)
- Re: Is the FBI's DNSSEC broken? Mark Andrews (Sep 03)
- Re: Is the FBI's DNSSEC broken? John Levine (Sep 04)
- Re: Is the FBI's DNSSEC no longer broken? John Levine (Sep 09)
- Re: Is the FBI's DNSSEC broken? Michael Hallgren (Sep 03)