.GOV zones may not resolve due to DNSSEC problems.

Published: 2013-08-14
Last Updated: 2013-08-14 16:25:39 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

Update: looks like this has been fixed now. Of course bad cached data may cause this issue to persist for a while.

Currently, many users are reporting that .gov domain names (e.g. fbi.gov) will not resolve. The problem appears to be related to an error in the DNSSEC configuration of the .gov zone.

According to a quick check with dnsviz.net, it appears that there is no DS record for the current .gov KSK deposited with the root zone.

dnsviz.net Screen Shot

(excerpt from: http://dnsviz.net/d/fbi.gov/dnssec/) 

DNSSEC relies on two types of keys each zone uses:

- A "key signing key" (KSK) and
- A "zone signing key" (ZSK)

The KSK  is usually long and its hash is deposited with the parent zone as a "DS" (Digital Signing) record. This KSK is then used to sign shorter ZSKs which are then used to sign the actual records in the zone file. This way, the long key signing key doesn't have to be changed too often, and the DS record with the parent zone doesn't require too frequent updates. On the other hand, most of the "crypto work" is done using shorter ZSKs, which in turns improves DNSSEC performance.

I am guessing that the .gov zone recently rotated it's KSK, but didn't update the corresponding DS record witht he root zone. 

This will affect pretty much all .gov domains as .gov domains have to be signed using DNSSEC. You will only experience problems if your name server (or your ISP's name server) verifies DNSSEC signatures.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: dnssec gov
2 comment(s)
Diary Archives