nanog mailing list archives

Re: .mil postmaster Contacts?

From: Ray Van Dolson <rvandolson () esri com>
Date: Wed, 29 Oct 2014 08:00:34 -0700

On Wed, Oct 29, 2014 at 10:43:34AM -0400, Chuck Church wrote:


-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Alain Hebert
Sent: Wednesday, October 29, 2014 9:14 AM
To: nanog () nanog org
Subject: Re: .mil postmaster Contacts?

Might be related to the news (CNN this morning) about the WH network being

exploited for a few days now.

They might be going after some .mil to and the tightening up of those

networks may cause disruption.


I think it has to do with DNSSEC.  The google DNS FAQ mentions (along with
someone else who emailed me off-list) checking DNSVIZ for issues.  So
looking at:
http://dnsviz.net/d/disa.mil/dnssec/

seems to indicate some issues.   RRSET TTL MISMATCH I think they all are.
Any DISA people on here?  Using a non-Google DNS (which I guess isn't doing
DNSSEC validation) does resolve the names fine.

Chuck


I saw the same errors in dnsviz, but was unsure if they were sufficient
to cause lookup failures (they were "warnings" only).

# dig @8.8.8.8 disa.mil MX +dnssec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 disa.mil MX +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9111
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;disa.mil.                      IN      MX

;; ANSWER SECTION:
disa.mil.               20039   IN      MX      5 indal.disa.mil.
disa.mil.               20039   IN      MX      0 pico.disa.mil.
disa.mil.               20039   IN      MX      10 dnipro.disa.mil.
disa.mil.               20039   IN      RRSIG   MX 8 2 86400 20141121222228 20141022222228 40608 disa.mil. 
lC2W9knYgviYJUKMYw9FJueUk4cR19spu7QsX3novmYrlOI70F0Rrzxm adU17tvfq1vbtzgYH0FriGIMdywPu/ssO7mK4KGhDj7pkQCcJZzlbrMe 
OlJOcC9mQcjgb6nt5KREBaIGzTGY0gA7AM6X2Ft/t9ZdsE/K+jNejgEc 4+M=

I see the "ad" flag in the query response flags, so am thinking this
lookup succeeded and was validated?

I do note that once we disabled DNSSEC on our resolvers we were able to
push mail out to these domains.  May have been coincidental -- needs
further testing.

Ray

Current thread:

.mil postmaster Contacts? Ray Van Dolson (Oct 27)
- Re: .mil postmaster Contacts? Mike A (Oct 27)
  - Re: .mil postmaster Contacts? ITechGeek (Oct 27)
- RE: .mil postmaster Contacts? Chuck Church (Oct 27)
  - Re: .mil postmaster Contacts? Ray Van Dolson (Oct 28)
  - Re: .mil postmaster Contacts? Alain Hebert (Oct 29)
    - RE: .mil postmaster Contacts? Chuck Church (Oct 29)
    - Re: .mil postmaster Contacts? Ray Van Dolson (Oct 29)
    - Re: .mil postmaster Contacts? Mark Andrews (Oct 29)