[dns-operations] Trouble with qa.ws.igt.fiscal.treasury.gov

cjc+dns-oarc at pumpky.net cjc+dns-oarc at pumpky.net
Tue Oct 18 04:52:43 UTC 2022


Having some problems resolving qa.ws.igt.fiscal.treasury.gov. There is 
pretty clearly a problem,

https://dnsviz.net/d/qa.ws.igt.fiscal.treasury.gov/dnssec/

Trying to figure out the nature of the brokenness.

What it looks like to me is that everything above fiscal.treasury.gov is 
supposed to be insecure (unsigned). There is a zone cut at 
fiscal.treasury.gov, but it is not properly delegated in DNSSEC. The 
servers are signing above the cut with the treasury.gov ZSK, but there 
are no DS records in the parent or the DNSKEY records in the 
fiscal.treasury.gov apex. Thus, the responses are seen as BOGUS.

Now if our servers saw it as completely broken, I'd understand. But 
names above fiscal.treasury.gov sometimes work. Sometimes they don't. 
That's what's really confusing me.

Of course, the answer here is to get treasury.gov to fix their servers. 
I've emailed the MNAME in the SOA, but if any Feds lurking who know 
someone at treasury.gov, it'd be great if you give the right people a 
heads up.

But I'd like to also understand why we're getting sporadic success and 
failures.


More information about the dns-operations mailing list