[dns-operations] Dealing with the bizarre - grantee.fema.gov
Brian Somers
bsomers at opendns.com
Wed Jul 8 18:20:27 UTC 2020
I thought this was worth a question here as I’m completely confused about how
this domain functions.
As a preamble, the fema.gov authorities have a grantee.fema.gov/DS RRset
and respond correctly:
# dig +short ns fema.gov
a1-91.akam.net.
a7-64.akam.net.
a8-65.akam.net.
a9-66.akam.net.
a16-67.akam.net.
a22-66.akam.net.
# dig +noall +auth +dnssec +nocrypt grantee.fema.gov @a1-91.akam.net
grantee.fema.gov. 86400 IN DS 1164 10 1 [omitted]
grantee.fema.gov. 86400 IN RRSIG DS 8 3 86400 20200711020644 20200708010644 27168 fema.gov. [omitted]
grantee.fema.gov. 300 IN NS ns-dc2gtm2.dhs.gov.
grantee.fema.gov. 300 IN NS ns-dc1gtm1.dhs.gov.
grantee.fema.gov. 300 IN NS ns-dc2gtm1.dhs.gov.
grantee.fema.gov. 300 IN NS ns-dc1gtm2.dhs.gov.
However, grantee.fema.gov is horribly broken:
• Querying the authority for the DNSKEY without the DO bit works (getting the DNSKEY with no signatures)
• Querying the authority for the DNSKEY with the DO bit fails (times out or sets TC)
• Querying the authority for the DNSKEY over TCP gets NODATA with an SOA but no other AUTHORITY RRs, regardless of the DO bit
The bit that confuses me however:
• Querying 1.1.1.1, 8.8.8.8 and 9.9.9.9 for grantee.fema.gov/A works.
8.8.8.8 even sets the AD bit.
• Querying 8.8.8.8 and 9.9.9.9 for grantee.fema.gov/DNSKEY
* works without the DO bit
* fails with the DO bit (NODATA and no auth RRs or else a TIMEOUT)
• Querying 1.1.1.1 for grantee.fema.gov/DNSKEY
* gets SERVFAIL, regardless of the DO bit.
I can only suspect that all 3 of these resolvers have an NTA for this domain!
Other resolvers such as 64.6.64.6 (and 208.67.222.2) correctly SERVFAIL
the grantee.fema.gov/A query while 156.154.70.5 responds and includes the
AD bit.
Can anybody confirm/deny?
—
Brian
More information about the dns-operations
mailing list