[dns-operations] fun with .gov

Mark Andrews marka at isc.org
Wed Jan 20 01:41:58 UTC 2010 

In message <B115593F-D8B7-450C-8314-70E0CCEAA16E at centergate.com>, Rodney Joffe 
writes:
> Michael,
> 
> nic.gov was the last host that responded with data.
> 
> whois.dotgov.gov has never responded for us.
> 
> If anyone finds a working port 43 server for .gov, let us know :-)

If anyone finds a whois server that gives contact information please let
us know.  Just returning whether the domain is active or not is not enough
to be able to report errors which is one of the main purposes of whois.

Mark

% whois -g dotgov.gov
% DOTGOV WHOIS Server ready
Domain Name: dotgov.gov
Status: Active

Please be advised that this whois server only contains information pertaining to the .GOV domain. For information for other domains please use the whois server at RS.INTERNIC.NET.
% 

> On Jan 13, 2010, at 7:19 PM, Michael Sinatra wrote:
> 
> > Over the past week, I have seen three problems related to the GOV  
> > TLD (mostly nih.gov):
> >
> > 1. whois b0rked:
> >
> > On MacOS X and *bsd systems, 'whois xxx.gov' attempts to contact the  
> > server at gov.whois-servers.net.  That used to work, but at some  
> > point, I started getting the following:
> >
> > [sonic] ~> whois nih.gov
> > whois: gov.whois-servers.net: Non-recoverable failure in name  
> > resolution
> >
> > [sonic] ~> dig gov.whois-servers.net
> >
> > ; <<>> DiG 9.6.1-P2 <<>> gov.whois-servers.net
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10480
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;gov.whois-servers.net.         IN      A
> >
> > ;; ANSWER SECTION:
> > gov.whois-servers.net.  511     IN      CNAME   nic.gov.
> >
> > ;; AUTHORITY SECTION:
> > nic.gov.                38311   IN      SOA     dnssec7.datamtn.com.  
> > support.datamtn.com. 2009123014 10800 3600 604800 38400
> >
> > It looks like there is no longer an A record for nic.gov.
> >
> > There is still an A record for whois.nic.gov (which Linux whois  
> > clients tend to use by default), but I get a timeout when I try to  
> > do a whois query to that server.  I am going to pass this on to  
> > Centergate (maintainers of whois-servers.net) and datamtn.com, but I  
> > thought I would just point it out here.
> >
> > 2. Problems in nih.gov: nlm.nih.gov mis-signed last week: Last week,  
> > the nlm.nih.gov zone was missing DNSSEC records on 3 of its 5  
> > authoritative nameservers.  lhcns1.nlm.nih.gov and  
> > lhcns2.nlm.nih.gov both had DNSKEYs and signed data in their  
> > nlm.nih.gov zones; but the parent nameservers (also authoritative)  
> > ns.nih.gov and ns[23].nih.gov did not.  A DS record for nlm.nih.gov  
> > did exist in nih.gov, so this broke the zone nlm.nih.gov (and all  
> > subzones) for validation.  This was fixed late last week, although  
> > lhcns[12] have different signature validity dates.  (Perhaps the  
> > signing processes are separate on those two machines?)  However, the  
> > zone does now validate.
> >
> > A number of people on the Internet2 DNSSEC mailing list helped  
> > diagnose this problem.
> >
> > 3. Problems in nih.gov: niehs.nih.gov broken: This problem is still  
> > ongoing.  Casey Deccio of Sandia National Lab diagnosed this problem  
> > and posted it to dnssec at internet2.edu.  It's another case where the  
> > parent zone nameservers (ns.nih.gov and ns[23].nih.gov,  
> > authoritative for nih.gov) are also authoritative for the child zone  
> > niehs.nih.gov.  In this case, there are no delegation (NS) records,  
> > nor are there DS records for niehs.nih.gov in nih.gov.  In a non- 
> > DNSSEC-validation situation, one can (mostly) get away with this  
> > setup because the authoritative nameservers load the sub-zone and  
> > have the NS records there.  In a validation situation, where one  
> > askes the parent nameserver for DS records, the parent nameserver  
> > will reply with NXDOMAIN instead of NOERROR with an empty answer  
> > section.  The result is a validation (and resolution) failure, even  
> > though niehs.nih.gov isn't intended to be signed or validated.
> >
> > Michael Contino of Penn State has been trying to track down this  
> > problem with the contractor who provides DNS for niehs.nih.gov, but  
> > that doesn't seem to have gotten anywhere yet.  The fix really needs  
> > to be in nih.gov, not in niehs.nih.gov.
> >
> > Because these problems have surfaced just recently, I suspect that  
> > the trust anchor DS record for nih.gov has recently been added to  
> > the gov zone.  Can anyone with visibility in the GOV TLD operation  
> > confirm?  If that's the case, it serves as a reminder to test your  
> signed zone before you start spreading your trust anchors.  There  
> > are a number of us in EDU and GOV who are doing validation, and this  
> > is breaking things for us. Also if anyone knows of a clueful contact  
> > in nih.gov, let me know.
> >
> > To everyone else, we need to be careful to have delegation NS  
> > records in the parent zone even/especially if the parent zone is  
> > signed and the child is not.
> >
> > michael
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list