[dns-operations] Looking for someone in charge for gtm-ext.dla.mil, DNSSEC validates as Bogus

Simon Arlott simon at arlott.org
Thu Mar 11 23:54:29 UTC 2021


On 11/03/2021 23:36, Casey Deccio wrote:
> Oh, I see now.  The actual delegation is missing completely, as far as I can tell.
> 
> $ dig +short @ns1.dla.mil gtm-ext.dla.mil a
> $ dig +short @ns1.dla.mil gtm-ext.dla.mil aaaa
> $ dig +short @ns1.dla.mil gtm-ext.dla.mil ns

The TTLs go down when querying ns1 and ns4, so it's proxying for
something else.

There are NS records, but you can only get them if you query for ANY,
and only some of the time depending on which load balancer you hit:

$ dig @ns1.dla.mil gtm-ext.dla.mil any +nord

; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> +edns=0 +multiline @ns1.dla.mil gtm-ext.dla.mil any +nord
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12196
;; flags: qr aa; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gtm-ext.dla.mil.	IN ANY

;; ANSWER SECTION:
gtm-ext.dla.mil.	2768 IN	RRSIG DNSKEY 8 3 10800 (
				20210316072845 20210309062845 33646 gtm-ext.dla.mil.
				Y/SRn1gSny4y227Tw63EOWWxvfgqqBORRrxxtZQZSHOT
				I+gtGaRI8UXcww8P+M9pW2LgfnH5IjDj7Y8vv4Shyw1O
				I1yLIUVQZDlOrL/w1pPod9vOyl8WyLZkt9g6u0WLUluR
				UuV+xZ4y7CSZ2VOORryh/cWZjaOYnSc2TAkf8RrFB65Q
				4Yweo4AHM4OdlZuR5nsSlYny2lBBmAysaZdTyOb+/yNN
				E5FCuW0Opq/d0YGDEgdMJZafeN65xKuIK/5HNQAUyHw2
				GmYHck3X1Awf0cENw5W+dIeqg0bdHGU5GbJF9O0ctPAL
				Sa2/JRV76b2NVBFKAKSivM2tAjlk6iz2mg== )
gtm-ext.dla.mil.	2768 IN	RRSIG DNSKEY 8 3 10800 (
				20210316072845 20210309062845 29085 gtm-ext.dla.mil.
				nnRCF/XioY5fo1AuwJT9bITXO0kFyFdPKr7p76S6Hft+
				pSEkkTM8Mq7YijkWHt7HW8L2ae0K+Ag9ogrAKCIhPBOG
				A4WSM/faB62yzWwasRC/RDTUSI93eFj1PLD4b3Fj1GNL
				ECQTgWS8KjctT42M8xjz5NE/EY+bTsxL+yYouzw= )
gtm-ext.dla.mil.	2768 IN	DNSKEY 257 3 8 (
				AwEAAakiB93xx2GkyKCjqE9tsGE8Xb/cbS9oW+AIjD23
				bvsRxRVczDUchMbw6RvbJq/qH9rdspXCStgpdEvLWXWC
				0cCTkx/cJ8hf3UJMgMj3jd3lTxSo1KJaS5DXRdJR2+Ou
				YEUZ3NMVJZhuJsVlYDJRFWOrnLOxuWYU65aY/eRE7rp9
				Z9aPN21bIDzokmVI9L3v8hd3ApQJhe2B4hnuKvvU5R+0
				lDkK9t2cHjvrh3ggAhR9fqZIUkVWzZA01mgJR3D8gt1M
				iwX9sPGwSAmCHCGdljrhvPy675CBt3cSdhCced1Ys4eI
				zblyp/fWsdRGaldYWWZYQUw21NGzCVTd0faNSpc=
				) ; KSK; alg = RSASHA256 ; key id = 33646
gtm-ext.dla.mil.	2768 IN	DNSKEY 256 3 8 (
				AwEAAcldZpiH0g67gZS8K0T7VxRXumVxDinai8hrK17P
				zRZlAn63Zx5eNOFMql4TZ1e2eT3lwwH1zMx8mWbQqvQa
				fbhlkm9onfnJkAa7oaRpi/YHK/lStrBadmYx6aE/DOz+
				7o5EM/mYlvfoS0kQm0RR21aMxNZ4za1mbV5N13OY5Nhj
				) ; ZSK; alg = RSASHA256 ; key id = 29085
gtm-ext.dla.mil.	875 IN NS hl-doddmz-gtm-ur.dla.mil.
gtm-ext.dla.mil.	875 IN NS co-doddmz-gtm-ur.dla.mil.
gtm-ext.dla.mil.	35173 IN RRSIG DS 8 3 86400 (
				20210320013600 20210310012713 58143 dla.mil.
				mOpFYLQH8NkyFO3d7FCzCeZACD8puDeu2QW/dTRt4Hai
				CtWpD0zzwrjmt4yg4RY8cf35BSsMqt95Cgz6Rxvgea58
				8ZYyJoi+he6N/2gHZgBUbYlJPR38vGuYYka/oKhhccGy
				3VBFc2JrvYZ/y+yProfjWii8hTVglZE9hb0ch70= )
gtm-ext.dla.mil.	35173 IN DS 33646 8 1 (
				6F6FAF621C1DBD3966B1B2FAC3F41F773A297388 )
gtm-ext.dla.mil.	35173 IN DS 33646 8 2 (
				CF58476A6E7145302866A112677862F08BB29611B6AC
				DBED0FC44997BB75D8BA )

;; Query time: 120 msec
;; SERVER: 206.38.35.3#53(206.38.35.3)
;; WHEN: Thu Mar 11 23:49:49 GMT 2021
;; MSG SIZE  rcvd: 1259

-- 
Simon Arlott


More information about the dns-operations mailing list