[dns-operations] Dealing with the bizarre - grantee.fema.gov

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jul 8 19:03:57 UTC 2020 

On Wed, Jul 08, 2020 at 11:20:27AM -0700, Brian Somers wrote:

>     # dig +noall +auth +dnssec +nocrypt grantee.fema.gov @a1-91.akam.net
>     grantee.fema.gov.       86400   IN      DS      1164 10 1 [omitted]
>     grantee.fema.gov.       86400   IN      RRSIG   DS 8 3 86400 20200711020644 20200708010644 27168 fema.gov. [omitted]
>     grantee.fema.gov.       300     IN      NS      ns-dc2gtm2.dhs.gov.
>     grantee.fema.gov.       300     IN      NS      ns-dc1gtm1.dhs.gov.
>     grantee.fema.gov.       300     IN      NS      ns-dc2gtm1.dhs.gov.
>     grantee.fema.gov.       300     IN      NS      ns-dc1gtm2.dhs.gov.

Note the SOA record for the child zone:

    fema.gov. IN SOA F5-GTM-External4.dc1.dhs.gov. hostmaster at F5-GTM-External4.dc1.dhs.gov. 2020063002 10800 3600 604800 60

It is probably fair to guess that DNS for this domain is delegated to an
F5 load-balancer.  These sorts of devices tend to have minimal
seat-of-the-pants DNS implementations, and correct support for DNSSEC
among these is not the norm.

Querying the authoritative server for the SOA record (with the DO bit
set) returns an SOA with no RRSIGs.  Querying for the NS RRset returns
the same unsigned SOA with no NS records!

> However, grantee.fema.gov is horribly broken:
>     • Querying the authority for the DNSKEY without the DO bit works (getting the DNSKEY with no signatures)
>     • Querying the authority for the DNSKEY with the DO bit fails (times out or sets TC)
>     • Querying the authority for the DNSKEY over TCP gets NODATA with an SOA but no other  AUTHORITY RRs, regardless of the DO bit

But for me, the DNSKEY and A record queries are working presently:

    grantee.fema.gov. IN DNSKEY 256 3 10 AwEAAchfOfxDOIi8+/ljEj5ctUursgKyh3yDxjF6T/WUrEHZeLr77yi0I8tmCpYIbMO6Aul2+7XtuLMsdBpnQ7ThhVLqIuXWQaAkCPIuEFSqT4pNqikOpGh9ecmtSCAnOii/uiZv5TEM5jF9s5XxPAkYhN8lo/O0M2BmGhVyWxuhLs5x
    grantee.fema.gov. IN DNSKEY 256 3 10 AwEAAbVXfgRYn7jl7igK3k7ZpJBMvoVAepmSBnN/LSUGZQZ6pjgz6y3/7GEiBGg3UbRWAF2ygs5gw1x+QXun1C2yDlrmQ37OGcJXoj/TDHZHFyl6CZ31UwIMNZjSs/zdJsBGLA2CoDGG4zO0U1CHuYUGBr0KLWfb495D3LK3zzPpDtyv
    grantee.fema.gov. IN DNSKEY 257 3 10 AwEAAdFgKwUpGFKp7qAyVzzcRS5jZA2dJLkZQKWRG90wXdVO5anbrXNcOIw3Kzv0ugJ+KoHMV0hAZx0ZFpE1lJFMC60iJkeS7qAGTT+Vzfk4VWZFWcuNf0SJgbla8W5ei/+sjxnYR2yY1IJ3+t7FE7W+uYh2tj0OxuDA9xYAKc3K6ZDFWSIw9k6f/WDQvii2I0NE6Yo9ZxV6etvVAuy2nvEt9rLCIwI2PGyMLYzQxbH9AaTxDQ6u8lHBN0PB8GuDr5BhZK4V0e5YRbhb8tCv7FDzXA0k/sTeHUtyIvT0PKLo/nHZ+8NeA9jVWAeJLPl/tgkgAxo/qUvLYpjKs5DT8g8HSX0=
    grantee.fema.gov. IN DNSKEY 257 3 10 AwEAAbronSyPATfnHwvyn0ipda3l6HP5ZWZc2i2mlXtS85HvsdNHPghIRwZJaiOYmob3ED6ZoobJuREZje/FkXpRnoAfXi4wx70GEZRokUt8fcsjuPorbnDVrZjmaYqoERMv6M1XoT8JirIbvkfUp/kjia88xJ23gJjqT3BYkNHJr5y/kVhdUenpouuCfg3Ln5M5t08dYYUZeKGJ4LKw6SyJFBVBaOesn1N2p4AGRg4nQDzVC4p8YslFaZt1RSdLh9xT1FNNKx69vH631VgzZW3eaG6+KmXTNNhxOePuX1te5he1yjW0rXz4OjlFOP0WkBeBj0egRvce6MltIw8EvIyX2Jk=
    grantee.fema.gov. IN RRSIG DNSKEY 10 3 86400 20200712003126 20200705003126 38990 grantee.fema.gov. X35dRWfqrnQn9CdTFG+qhSjPkKkPDIigiqIWxdt97wL7f/aJK75iahgvQrYyhx4FtPpF+ww21jFRqY5V1W7WNoFjND6YpXWtSZ/TDr3tEGqCX/cFpSN5nkTfs5N3x7d1VmhcRvH6Z5H1FizRhrGj3/E09UI/m4n35hIdoDKL2+M=
    grantee.fema.gov. IN RRSIG DNSKEY 10 3 86400 20200712003126 20200705003126 25856 grantee.fema.gov. LkmCeBgiMoHb6/BJuAIm61wu1jlm6XLq9e4hAFd95bY6o1iaE10NP80913NZTfz2FLFhJUnHIQ4w2aD2keyE7JHKvEWtxPV4h3XXVhBNd6T1c3dWcWF38GAEluswp8jR62mnusOTxcyhhggJBfpFtcG2Lt8V3ejMFSBxpYqS4eU=
    grantee.fema.gov. IN RRSIG DNSKEY 10 3 86400 20200712003126 20200705003126 1164 grantee.fema.gov. UyyiOzvwUVQtov0HiKOLmZG56dLESMjysDrvG/SIyz5rr7uGPTwXXW8gUa+UTxXh3KfRsssC7AIqISH3wLLy3dGEjri+AJLZOZRr5Dc6q19QEOsQGMk0T8pxjwZipeLomYSLiVVAN27PBjO8svJccKpjPeGfUxIr5Jqr4wo369WGcdO0Ev9k5fkhPCeRk84RuxGymCEqpa4K7jANmxiKlclRMYZcqNpuso/Dl5Prjz9BjT3GjvV4REpw6SetNsEC4nMhsnpgCpkIN+jd/g+yGbnZS42ghc+rTU+Dgk7cWOsFhLzB+TEHkRqDx84fPTW2yXyvLE99qSe0t68XnGANkQ==
    grantee.fema.gov. IN RRSIG DNSKEY 10 3 86400 20200712003126 20200705003126 48924 grantee.fema.gov. N/3HIFIJMN6O7+nk0z7sUPU/2XSIwcjM/6USG20OXP24wu587pT1wv/lytDFB98445/xHPr9K39kI0yb0sbx61ISWtwGJQ3jirUuIO4mBwhZZq6rXYfJmTThdEBJnsJUP4+0qzNCczc5h6x8cfyQoQnQ3rkzQj3UbDX55pNSaDCb2J5h8sO432iyfEH6iOuyDWeH5BXphioYeXEeNRh+qhtMYnwSSLkLwrr+p3FYDLjZ+SJR7G1IVJVkoj9Nr9cJqtBQlg4UR2wF83EXY68G4EAS3PPwUQezf0GLEDijjBfCGuCafP8c7eC/K/aE5yDLUcFevlgG6RXoKbdl6remXQ==

    grantee.fema.gov. IN A 173.255.49.196
    grantee.fema.gov. IN RRSIG A 10 3 30 20200715002505 20200708002505 38990 grantee.fema.gov. hd7/3YGekRnmzahjGDpcWYj9GaSQWghUJZiHXeCTmXxVTQddHAd1CRPD+kh8CHHkcCXfTm7AyMjrnW8X2qUtgFe+ZMDVbGsEkAI50sxIMI+Zu2aLiClOtQFdqdCkw6Zd0KCvmemN8etr2NYxKO7KV8+VbrVfWS4mR3hU0qZo2bA=
    grantee.fema.gov. IN RRSIG A 10 3 30 20200712162346 20200705162346 25856 grantee.fema.gov. YYrWcxlsNjFYSJLUMuUce/W+aySCMXYot2UkHtG+YZ6Mjs6L5pdb2m/By3NJDfHt6IZDl2xS/4eo6RmtuvxPHSfNLedP/HdpBoCsDIHiYY7ni6lt1NDO+EWKaD4DjrFFat54m6mblxT0SzGrqsdFUblaR+DgMCuAD6v1joaBfX4=

> The bit that confuses me however:
>     • Querying 1.1.1.1, 8.8.8.8 and 9.9.9.9 for grantee.fema.gov/A works.
>       8.8.8.8 even sets the AD bit.

Because the A record is returned with the requisite signatures to at
least some clients.

> I can only suspect that all 3 of these resolvers have an NTA for this domain!

I would guess otherwise, given the AD bit from 8.8.8.8, and the fact
that signed A and DNSKEY RRsets are available from the authoritative
servers in the glue records.

Perhaps lack of signed NS RRsets at the zone apex is the problem.
Google's DNS is parent-centric...

-- 
    Viktor.

More information about the dns-operations mailing list