[dns-operations] Dealing with the bizarre - grantee.fema.gov

Brian Somers bsomers at opendns.com
Wed Jul 8 18:20:27 UTC 2020


I thought this was worth a question here as I’m completely confused about how
this domain functions.

As a preamble, the fema.gov authorities have a grantee.fema.gov/DS RRset
and respond correctly:
    # dig +short ns fema.gov
    a1-91.akam.net.
    a7-64.akam.net.
    a8-65.akam.net.
    a9-66.akam.net.
    a16-67.akam.net.
    a22-66.akam.net.
    
    # dig +noall +auth +dnssec +nocrypt grantee.fema.gov @a1-91.akam.net
    grantee.fema.gov.       86400   IN      DS      1164 10 1 [omitted]
    grantee.fema.gov.       86400   IN      RRSIG   DS 8 3 86400 20200711020644 20200708010644 27168 fema.gov. [omitted]
    grantee.fema.gov.       300     IN      NS      ns-dc2gtm2.dhs.gov.
    grantee.fema.gov.       300     IN      NS      ns-dc1gtm1.dhs.gov.
    grantee.fema.gov.       300     IN      NS      ns-dc2gtm1.dhs.gov.
    grantee.fema.gov.       300     IN      NS      ns-dc1gtm2.dhs.gov.

However, grantee.fema.gov is horribly broken:
    • Querying the authority for the DNSKEY without the DO bit works (getting the DNSKEY with no signatures)
    • Querying the authority for the DNSKEY with the DO bit fails (times out or sets TC)
    • Querying the authority for the DNSKEY over TCP gets NODATA with an SOA but no other  AUTHORITY RRs, regardless of the DO bit

The bit that confuses me however:
    • Querying 1.1.1.1, 8.8.8.8 and 9.9.9.9 for grantee.fema.gov/A works.
      8.8.8.8 even sets the AD bit.
    • Querying 8.8.8.8 and 9.9.9.9 for grantee.fema.gov/DNSKEY
      * works without the DO bit
      * fails with the DO bit (NODATA and no auth RRs or else a TIMEOUT)
    • Querying 1.1.1.1 for grantee.fema.gov/DNSKEY
      * gets SERVFAIL, regardless of the DO bit.

I can only suspect that all 3 of these resolvers have an NTA for this domain!
Other resolvers such as 64.6.64.6 (and 208.67.222.2) correctly SERVFAIL
the grantee.fema.gov/A query while 156.154.70.5 responds and includes the
AD bit.

Can anybody confirm/deny?

—
Brian


More information about the dns-operations mailing list