[dns-operations] Dealing with the bizarre - grantee.fema.gov
marek at vavrusa.com
Wed Jul 8 19:12:58 UTC 2020
I can confirm for 220.127.116.11. The main problem is that DNSKEY with DO bit
doesn't fit in UDP response without fragmentation and TCP retry
returns NODATA, so it's not retrievable unless you set the bufsize to
at least 1853 bytes (DO bit bumps the response size). There's a
workaround for that so at least A record resolves for the time being.
We've reached to FEMA, so hopefully it'll get fixed soon.
On Wed, 8 Jul 2020 at 11:41, Brian Somers <bsomers at opendns.com> wrote:
> I thought this was worth a question here as I’m completely confused about how
> this domain functions.
> As a preamble, the fema.gov authorities have a grantee.fema.gov/DS RRset
> and respond correctly:
> # dig +short ns fema.gov
> # dig +noall +auth +dnssec +nocrypt grantee.fema.gov @a1-91.akam.net
> grantee.fema.gov. 86400 IN DS 1164 10 1 [omitted]
> grantee.fema.gov. 86400 IN RRSIG DS 8 3 86400 20200711020644 20200708010644 27168 fema.gov. [omitted]
> grantee.fema.gov. 300 IN NS ns-dc2gtm2.dhs.gov.
> grantee.fema.gov. 300 IN NS ns-dc1gtm1.dhs.gov.
> grantee.fema.gov. 300 IN NS ns-dc2gtm1.dhs.gov.
> grantee.fema.gov. 300 IN NS ns-dc1gtm2.dhs.gov.
> However, grantee.fema.gov is horribly broken:
> • Querying the authority for the DNSKEY without the DO bit works (getting the DNSKEY with no signatures)
> • Querying the authority for the DNSKEY with the DO bit fails (times out or sets TC)
> • Querying the authority for the DNSKEY over TCP gets NODATA with an SOA but no other AUTHORITY RRs, regardless of the DO bit
> The bit that confuses me however:
> • Querying 18.104.22.168, 22.214.171.124 and 126.96.36.199 for grantee.fema.gov/A works.
> 188.8.131.52 even sets the AD bit.
> • Querying 184.108.40.206 and 220.127.116.11 for grantee.fema.gov/DNSKEY
> * works without the DO bit
> * fails with the DO bit (NODATA and no auth RRs or else a TIMEOUT)
> • Querying 18.104.22.168 for grantee.fema.gov/DNSKEY
> * gets SERVFAIL, regardless of the DO bit.
> I can only suspect that all 3 of these resolvers have an NTA for this domain!
> Other resolvers such as 22.214.171.124 (and 126.96.36.199) correctly SERVFAIL
> the grantee.fema.gov/A query while 188.8.131.52 responds and includes the
> AD bit.
> Can anybody confirm/deny?
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations