[165573] in North American Network Operators' Group
Re: Is the FBI's DNSSEC no longer broken?
daemon@ATHENA.MIT.EDU (John Levine)
Mon Sep 9 09:43:08 2013
Date: 9 Sep 2013 13:42:37 -0000
From: "John Levine" <johnl@iecc.com>
To: nanog@nanog.org
In-Reply-To: <20130903212813.4637.qmail@joyce.lan>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>I heard back, seems like I found someone at the FBI who was able to
>explain the problem to Neustar (DNS software provider) who say they
>will fix it.
Seems to be fixed now. Here's the formerly broken query, via unbound:
; <<>> DiG 9.8.3-P4 <<>> mail.ic.fbi.gov aaaa +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24041
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mail.ic.fbi.gov. IN AAAA
;; AUTHORITY SECTION:
fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013090301 7200 3600 2592000 43200
fbi.gov. 600 IN RRSIG SOA 7 2 600 20131202142044 20130903142044 32497 fbi.gov. lGgY8jWxYyxqi/pezCXZpSnY7B2UqDTvOQMrxt+REnd7rCHs2qU2U5k3 qnfAOVbPr2lEOVaChT9i+tElTQNfZxrmg0DvR+Nluj9DBD6kfwPnGdOT iBZJvrEhNsq5fY0DJ3jF7RMzr9YtA+Jl1T6bM+aWiUgXn9zvFT39+ReJ vA0=
95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 41250 IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG
95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 41250 IN RRSIG NSEC3 7 3 43200 20131202142044 20130903142044 32497 fbi.gov. ZqMr4lUifz0n46YCL/s/qa3iMp0Hz8OhIuYC/uDgWzwPJsD26VTECG0G aG4xWUlmumfm6GLMppo07keXa273bsJEYXgXVhTEWHMbDqrc5xhBPykG C53E8N36dcmzdnfN+v7cVnwWXdPOKMrIBPrZhBuHD2qT0QepAgdo8Aoa lgQ=
;; Query time: 161 msec
;; SERVER: 192.168.80.2#53(192.168.80.2)
;; WHEN: Mon Sep 9 09:41:43 2013
;; MSG SIZE rcvd: 509
