[dns-operations] Dealing with the bizarre - grantee.fema.gov

Brian Somers bsomers at opendns.com
Wed Jul 8 18:20:27 UTC 2020

I thought this was worth a question here as I’m completely confused about how
this domain functions.

As a preamble, the fema.gov authorities have a grantee.fema.gov/DS RRset
and respond correctly:
    # dig +short ns fema.gov
    # dig +noall +auth +dnssec +nocrypt grantee.fema.gov @a1-91.akam.net
    grantee.fema.gov.       86400   IN      DS      1164 10 1 [omitted]
    grantee.fema.gov.       86400   IN      RRSIG   DS 8 3 86400 20200711020644 20200708010644 27168 fema.gov. [omitted]
    grantee.fema.gov.       300     IN      NS      ns-dc2gtm2.dhs.gov.
    grantee.fema.gov.       300     IN      NS      ns-dc1gtm1.dhs.gov.
    grantee.fema.gov.       300     IN      NS      ns-dc2gtm1.dhs.gov.
    grantee.fema.gov.       300     IN      NS      ns-dc1gtm2.dhs.gov.

However, grantee.fema.gov is horribly broken:
    • Querying the authority for the DNSKEY without the DO bit works (getting the DNSKEY with no signatures)
    • Querying the authority for the DNSKEY with the DO bit fails (times out or sets TC)
    • Querying the authority for the DNSKEY over TCP gets NODATA with an SOA but no other  AUTHORITY RRs, regardless of the DO bit

The bit that confuses me however:
    • Querying, and for grantee.fema.gov/A works. even sets the AD bit.
    • Querying and for grantee.fema.gov/DNSKEY
      * works without the DO bit
      * fails with the DO bit (NODATA and no auth RRs or else a TIMEOUT)
    • Querying for grantee.fema.gov/DNSKEY
      * gets SERVFAIL, regardless of the DO bit.

I can only suspect that all 3 of these resolvers have an NTA for this domain!
Other resolvers such as (and correctly SERVFAIL
the grantee.fema.gov/A query while responds and includes the
AD bit.

Can anybody confirm/deny?


More information about the dns-operations mailing list