[dns-operations] problems resolving army.mil and us.army.mil?

Rose, Scott W. scott.rose at nist.gov
Wed Aug 21 17:19:36 UTC 2013 

>From appearances, the error is not DNSSEC related (army.mil is unsigned),
but that no one can reach the army.mil servers.  I see both SERVFAIL and
"no servers could be reached" errors.

As for requiring validation, the next version of the security controls for
all Federal USG systems will require DNSSEC validation in the agency.
This will likely be at the recursive resolver level, not the end system.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

That was published in 4/2013, so it won't be "in effect" until next April,
but some agencies are doing validation now.  We already hear of issues and
some successes. 

Scott

===================================
Scott Rose
NIST
scott.rose at nist.gov
+1 301-975-8439
Google Voice: +1 571-249-3671
http://www.dnsops.gov/
https://www.had-pilot.com/
===================================






-----Original Message-----
From: Christopher Morrow <morrowc.lists at gmail.com>
Date: Wednesday, August 21, 2013 1:04 PM
To: Fr34k <freaknetboy at yahoo.com>
Cc: "Rose, Scott W." <scott.rose at nist.gov>, Mike A <mikea at mikea.ath.cx>,
DNS Operations <dns-operations at mail.dns-oarc.net>
Subject: Re: [dns-operations] problems resolving army.mil and us.army.mil?

>a question(s) from the peanut gallery...
>(I assumed some things...)
>
>if the operations work to maintain dnssec stuff for zones is not
>productionized and automated and tested failures like this army.mil
>(and most previous other zone problems elsewhere related to dnssec,
>most likely) issue happen...
>
>what process gets us all to better, more stable, more reliable dnssec
>deployment on a per-zone basis?
>
>is the problem that army.mil can be broken for X hours/days with
>respect to dnssec because 'no one notices' and thus the failure has
>low/zero cost to the domain owner? Is the process/ops-work so hard
>that it can't be automated/productionized?
>
>If the 'no one notices' answer is 'yes', how do more people get to the
>place where they notice? by enabling validation in resolvers? could US
>Gov't agencies all enable this 'now' and help to find these problems
>more quickly? could OMB be brought to bear on this sort of thing in a
>reasoned way?
>
>-chris
>
>On Wed, Aug 21, 2013 at 10:18 AM, Fr34k <freaknetboy at yahoo.com> wrote:
>> http://dnssec-debugger.verisignlabs.com/army.mil  also shows several
>>issues.
>>
>>
>>
>>
>> ----- Original Message -----
>>> From: "Rose, Scott W." <scott.rose at nist.gov>
>>> To: Mike A <mikea at mikea.ath.cx>; DNS Operations
>>><dns-operations at mail.dns-oarc.net>
>>> Cc:
>>> Sent: Wednesday, August 21, 2013 10:06 AM
>>> Subject: Re: [dns-operations] problems resolving army.mil and
>>>us.army.mil?
>>>
>>> Me too.  From NIST and DNSViz:
>>> http://dnsviz.net/d/army.mil/dnssec/
>>>
>>> Can't reach any of the servers listed.
>>>
>>> Scott
>>>
>>>
>>> ===================================
>>> Scott Rose
>>> NIST
>>> scott.rose at nist.gov
>>> +1 301-975-8439
>>> Google Voice: +1 571-249-3671
>>> http://www.dnsops.gov/
>>> https://www.had-pilot.com/
>>> ===================================
>>>
>>>
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Mike A <mikea at mikea.ath.cx>
>>> Date: Wednesday, August 21, 2013 10:02 AM
>>> To: DNS Operations <dns-operations at mail.dns-oarc.net>
>>> Subject: [dns-operations] problems resolving army.mil and us.army.mil?
>>>
>>>> I'm seeing timeouts and SERVFAILs trying to resolve army.mil and
>>>> us.army.mil from multiple locations on disjoint nets. Anyone else?
>>>>
>>>> --
>>>> Mike Andrews, W5EGO
>>>> mikea at mikea.ath.cx
>>>> Tired old sysadmin
>>>> _______________________________________________
>>>> dns-operations mailing list
>>>> dns-operations at lists.dns-oarc.net
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>>> dns-jobs mailing list
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>>
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>> dns-jobs mailing list
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list