1.1.1.2 issues with my.ippsa.army.mil

dkontyko · April 5, 2023, 1:31am

I’m pretty sure this website has the same DNSSEC issue detailed here: https://community.cloudflare.com/t/1-1-1-1-cant-reach-us-mil-websites/17027. But I was hoping to get a quick confirmation that the Army’s DNSSEC records are incorrectly configured, and there’s not some other issues going on. Can you please confirm that’s why this domain (and hr.ippsa.army.mil) return NXDOMAIN from your resolver?

The Army’s recommendation was to use 9.9.9.9 for DNS instead, so I am hoping that providing them more information on the misconfiguration will help get the DNSSEC records straightened out.

Thank you very much for providing a great, free service!

https://cloudflare-dns.com/help/?_ga=2.158880946.923446376.1680657664-1418048578.1680091094#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTAwMSI6IlllcyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6IklBRCIsImlzV2FycCI6Ik5vIiwiaXNwTmFtZSI6IkNsb3VkZmxhcmUiLCJpc3BBc24iOiIxMzMzNSJ9

https://dnsviz.net/d/my.ippsa.army.mil/dnssec/

dkontyko · April 5, 2023, 11:31am

Adding a few more checks I did locally:

% dig my.ippsa.army.mil @9.9.9.9

; <<>> DiG 9.18.13 <<>> my.ippsa.army.mil @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46635
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;my.ippsa.army.mil.		IN	A

;; ANSWER SECTION:
my.ippsa.army.mil.	28	IN	A	156.112.91.251

;; Query time: 203 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Tue Apr 04 21:37:27 EDT 2023
;; MSG SIZE  rcvd: 62

% dig my.ippsa.army.mil @1.1.1.1

; <<>> DiG 9.18.13 <<>> my.ippsa.army.mil @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14407
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 10 (RRSIGs Missing): (failed to verify my.ippsa.army.mil. A)
; EDE: 23 (Network Error): (130.114.200.6:53 rcode=SERVFAIL for my.ippsa.army.mil SOA)
;; QUESTION SECTION:
;my.ippsa.army.mil.		IN	A

;; Query time: 71 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Apr 04 21:37:59 EDT 2023
;; MSG SIZE  rcvd: 152

% dig my.ippsa.army.mil @1.0.0.1

; <<>> DiG 9.18.13 <<>> my.ippsa.army.mil @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55876
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 10 (RRSIGs Missing): (failed to verify my.ippsa.army.mil. A)
; EDE: 23 (Network Error): (130.114.200.6:53 rcode=SERVFAIL for my.ippsa.army.mil SOA)
;; QUESTION SECTION:
;my.ippsa.army.mil.		IN	A

;; Query time: 13 msec
;; SERVER: 1.0.0.1#53(1.0.0.1) (UDP)
;; WHEN: Tue Apr 04 21:38:05 EDT 2023
;; MSG SIZE  rcvd: 152

% dig my.ippsa.army.mil @8.8.8.8

; <<>> DiG 9.18.13 <<>> my.ippsa.army.mil @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44489
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;my.ippsa.army.mil.		IN	A

;; Query time: 455 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed Apr 05 07:31:07 EDT 2023
;; MSG SIZE  rcvd: 46

system · April 20, 2023, 11:32am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.