nanog mailing list archives
Re: .mil postmaster Contacts?
From: Ray Van Dolson <rvandolson () esri com>
Date: Wed, 29 Oct 2014 08:00:34 -0700
On Wed, Oct 29, 2014 at 10:43:34AM -0400, Chuck Church wrote:
-----Original Message----- From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Alain Hebert Sent: Wednesday, October 29, 2014 9:14 AM To: nanog () nanog org Subject: Re: .mil postmaster Contacts?Might be related to the news (CNN this morning) about the WH network beingexploited for a few days now.They might be going after some .mil to and the tightening up of thosenetworks may cause disruption. I think it has to do with DNSSEC. The google DNS FAQ mentions (along with someone else who emailed me off-list) checking DNSVIZ for issues. So looking at: http://dnsviz.net/d/disa.mil/dnssec/ seems to indicate some issues. RRSET TTL MISMATCH I think they all are. Any DISA people on here? Using a non-Google DNS (which I guess isn't doing DNSSEC validation) does resolve the names fine. Chuck
I saw the same errors in dnsviz, but was unsure if they were sufficient to cause lookup failures (they were "warnings" only). # dig @8.8.8.8 disa.mil MX +dnssec ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 disa.mil MX +dnssec ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9111 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;disa.mil. IN MX ;; ANSWER SECTION: disa.mil. 20039 IN MX 5 indal.disa.mil. disa.mil. 20039 IN MX 0 pico.disa.mil. disa.mil. 20039 IN MX 10 dnipro.disa.mil. disa.mil. 20039 IN RRSIG MX 8 2 86400 20141121222228 20141022222228 40608 disa.mil. lC2W9knYgviYJUKMYw9FJueUk4cR19spu7QsX3novmYrlOI70F0Rrzxm adU17tvfq1vbtzgYH0FriGIMdywPu/ssO7mK4KGhDj7pkQCcJZzlbrMe OlJOcC9mQcjgb6nt5KREBaIGzTGY0gA7AM6X2Ft/t9ZdsE/K+jNejgEc 4+M= I see the "ad" flag in the query response flags, so am thinking this lookup succeeded and was validated? I do note that once we disabled DNSSEC on our resolvers we were able to push mail out to these domains. May have been coincidental -- needs further testing. Ray
Current thread:
- .mil postmaster Contacts? Ray Van Dolson (Oct 27)
- Re: .mil postmaster Contacts? Mike A (Oct 27)
- Re: .mil postmaster Contacts? ITechGeek (Oct 27)
- RE: .mil postmaster Contacts? Chuck Church (Oct 27)
- Re: .mil postmaster Contacts? Ray Van Dolson (Oct 28)
- Re: .mil postmaster Contacts? Alain Hebert (Oct 29)
- RE: .mil postmaster Contacts? Chuck Church (Oct 29)
- Re: .mil postmaster Contacts? Ray Van Dolson (Oct 29)
- Re: .mil postmaster Contacts? Mark Andrews (Oct 29)
- Re: .mil postmaster Contacts? Mike A (Oct 27)