Maintained by: NLnet Labs

[Unbound-users] dfas.mil DNSSEC Failure

Ehren Hawks
Fri Jun 28 15:47:03 CEST 2013


Yesterday a customer of ours reported they couldn't get to mypay.dfas.mil.
Upon looking into it I see both of my Unbound servers are returning
SERVFAIL. Given the type of sight this is I suspected this to be a possible
DNSSEC issue. I verified there's an issue here:

 

http://dnsviz.net/d/dfas.mil/dnssec/

 

.dfas.mil/DNSKEY:This RRset is not covered by any RRSIG.

.dfas.mil/MX:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil zone, but
the dfas.mil/MX RRset was not signed by any DNSKEY with algorithm(s) 7.

.dfas.mil/SOA:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil zone, but
the dfas.mil/SOA RRset was not signed by any DNSKEY with algorithm(s) 7.

.dfas.mil/TXT:DNSKEYs exist for algorithm(s) 8, 7 in the dfas.mil zone, but
the dfas.mil/TXT RRset was not signed by any DNSKEY with algorithm(s) 7.

 

I tested resolution against both DNS-OARC's BIND and Unbound DNSSEC public
servers:

 

BIND 9   149.20.64.20    2001:4f8:3:2bc:1::64:20 

Unbound   149.20.64.21   2001:4f8:3:2bc:1::64:21

 

Their Unbound server fails just as mine do, but their BIND server returns
the A record. I'm reluctant to disable DNSSEC validation over this one
domain, considering there appears to be an actual problem. Considering BIND
as well as Google's public DNS are validating this site OK I figured it was
worth bringing up.

 

Any feedback is appreciated!

 

 

/ehren

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20130628/3c410a03/attachment.html>