[dns-operations] Dealing with the bizarre - grantee.fema.gov

Marek Vavruša marek at vavrusa.com
Wed Jul 8 19:12:58 UTC 2020


I can confirm for 1.1.1.1. The main problem is that DNSKEY with DO bit
doesn't fit in UDP response without fragmentation and TCP retry
returns NODATA, so it's not retrievable unless you set the bufsize to
at least 1853 bytes (DO bit bumps the response size). There's a
workaround for that so at least A record resolves for the time being.
We've reached to FEMA, so hopefully it'll get fixed soon.

Marek



On Wed, 8 Jul 2020 at 11:41, Brian Somers <bsomers at opendns.com> wrote:
>
> I thought this was worth a question here as I’m completely confused about how
> this domain functions.
>
> As a preamble, the fema.gov authorities have a grantee.fema.gov/DS RRset
> and respond correctly:
>     # dig +short ns fema.gov
>     a1-91.akam.net.
>     a7-64.akam.net.
>     a8-65.akam.net.
>     a9-66.akam.net.
>     a16-67.akam.net.
>     a22-66.akam.net.
>
>     # dig +noall +auth +dnssec +nocrypt grantee.fema.gov @a1-91.akam.net
>     grantee.fema.gov.       86400   IN      DS      1164 10 1 [omitted]
>     grantee.fema.gov.       86400   IN      RRSIG   DS 8 3 86400 20200711020644 20200708010644 27168 fema.gov. [omitted]
>     grantee.fema.gov.       300     IN      NS      ns-dc2gtm2.dhs.gov.
>     grantee.fema.gov.       300     IN      NS      ns-dc1gtm1.dhs.gov.
>     grantee.fema.gov.       300     IN      NS      ns-dc2gtm1.dhs.gov.
>     grantee.fema.gov.       300     IN      NS      ns-dc1gtm2.dhs.gov.
>
> However, grantee.fema.gov is horribly broken:
>     • Querying the authority for the DNSKEY without the DO bit works (getting the DNSKEY with no signatures)
>     • Querying the authority for the DNSKEY with the DO bit fails (times out or sets TC)
>     • Querying the authority for the DNSKEY over TCP gets NODATA with an SOA but no other  AUTHORITY RRs, regardless of the DO bit
>
> The bit that confuses me however:
>     • Querying 1.1.1.1, 8.8.8.8 and 9.9.9.9 for grantee.fema.gov/A works.
>       8.8.8.8 even sets the AD bit.
>     • Querying 8.8.8.8 and 9.9.9.9 for grantee.fema.gov/DNSKEY
>       * works without the DO bit
>       * fails with the DO bit (NODATA and no auth RRs or else a TIMEOUT)
>     • Querying 1.1.1.1 for grantee.fema.gov/DNSKEY
>       * gets SERVFAIL, regardless of the DO bit.
>
> I can only suspect that all 3 of these resolvers have an NTA for this domain!
> Other resolvers such as 64.6.64.6 (and 208.67.222.2) correctly SERVFAIL
> the grantee.fema.gov/A query while 156.154.70.5 responds and includes the
> AD bit.
>
> Can anybody confirm/deny?
>
>> Brian
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list