[dns-operations] Validation problems for nal.usda.gov
marka at isc.org
Fri Nov 16 02:12:01 UTC 2012
In message <50A53AD6.70403 at ack.berkeley.edu>, Rune Stromsness writes:
> We've been seeing DNSSEC validation problems (using the ISC DLV trust
> anchor) for nal.usda.gov for about 3 weeks now. We've been unable to
> get in touch with anyone at the NAL who knows anything about DNSSEC, and
> we're not happy about turning off use of the DLV for our campus. Our
> customers are getting more unhappy with their inability to use the
> nal.usda.gov resources from campus, however.
> Does anyone know of a USDA or .gov contact who knows what DNSSEC is who
> might be able to help get the NAL to fix or mitigate their issues?
> Rune Stromsness
> Network Operations & Services
> University of California, Berkeley
> runes at berkeley.edu
They have a large DNSKEY RRset (;; MSG SIZE rcvd: 2731) so you may
be seeing issues with fragmentation. The DLV records match the
% dig dlv nal.usda.gov.dlv.isc.org +short
22225 8 1 026C4CC083FB1EEE7EF574215FFD55DF81B9559F
36611 7 2 874E38617A6F8855B94995E911DF53F8A2075A698C5BCE748E957D5B 45D7BA55
22225 8 2 795761E4D80E2EA25BC342ABDE6B99D3134FD95F70B95A81369FFC0F 8B350CE5
36611 7 1 EA4D0578B59FB25FE583AF77B190A23EFB812B1A
% dig dnskey nal.usda.gov +dnssec +multi | grep 22225
) ; KSK; alg = RSASHA256; key id = 22225
20130213202211 20121115202211 22225 nal.usda.gov.
% dig dnskey nal.usda.gov +dnssec +multi | grep 36611
) ; KSK; alg = NSEC3RSASHA1; key id = 36611
20130213202211 20121115202211 36611 nal.usda.gov.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations