[dns-operations] Problem resolving some uppercase .GOV domains

Mon May 11 20:53:11 UTC 2009

I have BIND 9.6.0-P1 running on Solaris 10 SPARC with the following
configuration:

trusted-keys {
        gov. 257 3 7 "AwEAAZ1OCt7zZxeaROvz XNCNlqQWIi++p5ABXSox
qJ65WQko6xrI9RImK7IB T5roFhXjBDGJ8ld9CYIE N94kK83K/QwUGCJ+v3vI
QFi09IqsPeRdHTQyghWW bhzAZpnlZ16imXB4yFZj dbV2iM66KcgsESQMPEcI
ayDQJh6JEi1wmslrYvRR J6YPOWrlLD0RmdtCaRuz lUE0RiWSem/i8vDFdmsS
wChRMcORklKqjqt1+RBI iEFJGKIz7lGc9DXRwkBf b+halii+jrELiZAPzfO7
rf08l3QlgHEuxclTTdEa xctPd2O2U/Hl9tRgkxRL /Zv1i0sEx2mOJGcUCeVm
4Hf2aM8=";
};

options {
        dnssec-enable yes;
        dnssec-validation yes;

The machine is directly on the Internet, outside of any firewalls.

I have the following resolution problem:

[ns:/root]# dig www.cashlink2.gov

; <<>> DiG 9.6.0-P1 <<>> www.cashlink2.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1372
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.cashlink2.gov.             IN      A

;; ANSWER SECTION:
www.cashlink2.gov.      0       IN      A       65.196.77.139

;; AUTHORITY SECTION:
www.cashlink2.gov.      17650   IN      NS      dns2.cashlink2.gov.
www.cashlink2.gov.      17650   IN      NS      dns1.cashlink2.gov.

;; ADDITIONAL SECTION:
dns1.cashlink2.gov.     17790   IN      A       65.196.77.151
dns2.cashlink2.gov.     17789   IN      A       12.173.51.170

;; Query time: 22 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 11 16:47:19 2009
;; MSG SIZE  rcvd: 121

[ns:/root]# dig WWW.CASHLINK2.GOV

; <<>> DiG 9.6.0-P1 <<>> WWW.CASHLINK2.GOV
;; global options: +cmd
;; connection timed out; no servers could be reached
[ns:/root]#

I can fix this problem by setting dnssec-validation no;

Can anyone shed any light on this behavior?  Thanks,

Paul Gani
FDA | OIM | DOI - Network Security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20090511/e76d0a1c/attachment.html>