[dns-operations] Trouble with qa.ws.igt.fiscal.treasury.gov
cjc+dns-oarc at pumpky.net
cjc+dns-oarc at pumpky.net
Tue Oct 18 04:52:43 UTC 2022
Having some problems resolving qa.ws.igt.fiscal.treasury.gov. There is
pretty clearly a problem,
https://dnsviz.net/d/qa.ws.igt.fiscal.treasury.gov/dnssec/
Trying to figure out the nature of the brokenness.
What it looks like to me is that everything above fiscal.treasury.gov is
supposed to be insecure (unsigned). There is a zone cut at
fiscal.treasury.gov, but it is not properly delegated in DNSSEC. The
servers are signing above the cut with the treasury.gov ZSK, but there
are no DS records in the parent or the DNSKEY records in the
fiscal.treasury.gov apex. Thus, the responses are seen as BOGUS.
Now if our servers saw it as completely broken, I'd understand. But
names above fiscal.treasury.gov sometimes work. Sometimes they don't.
That's what's really confusing me.
Of course, the answer here is to get treasury.gov to fix their servers.
I've emailed the MNAME in the SOA, but if any Feds lurking who know
someone at treasury.gov, it'd be great if you give the right people a
heads up.
But I'd like to also understand why we're getting sporadic success and
failures.
More information about the dns-operations
mailing list