Cannot resolve USCG.MIL


#1

Hi,

Cloudflare DNS will not resolve uscg.mil
Switching to 8.8.4.4 solve this problem.

Tests

cloudflare-dns.com/help URL
https://cloudflare-dns.com/help/#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJIS0ciLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

Digs

dig uscg.mil @1.1.1.1

; <<>> DiG 9.10.6 <<>> uscg.mil @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7735
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;uscg.mil. IN A

;; Query time: 4204 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Aug 05 22:16:16 HKT 2018
;; MSG SIZE rcvd: 37

dig uscg.mil @1.0.0.1

; <<>> DiG 9.10.6 <<>> uscg.mil @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17288
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;uscg.mil. IN A

;; Query time: 4202 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Sun Aug 05 22:16:40 HKT 2018
;; MSG SIZE rcvd: 37

dig uscg.mil @8.8.8.8

; <<>> DiG 9.10.6 <<>> uscg.mil @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63970
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;uscg.mil. IN A

;; ANSWER SECTION:
uscg.mil. 306 IN A 152.121.184.21

;; Query time: 200 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 05 22:16:55 HKT 2018
;; MSG SIZE rcvd: 53

dig +short CHAOS TXT id.server @1.1.1.1
“HKG”

dig +short CHAOS TXT id.server @1.0.0.1
“HKG”


#2

Hi, the key set for uscg.mil is currently in bogus. It looks like the operator didn’t properly finish key rollover and the ns4.uscg.mil is returning an old keyset: http://dnsviz.net/d/uscg.mil/dnssec/

I’ve turned off DNSSEC for this zone until it’s fixed :frowning:


#3

Hi, thanks for getting back to me.

I tested it just now UTC 18:08 but it is still not resolving. Should I redo the tests?

kl


#4

Hi, can you retest? It can time out occasionally if one of the NSs is unresponsive, but it generally resolves.
EDIT: It seems that the uscg.mil nameservers are not reachable from all PoPs (HKG included), I’m not sure if this is intentional or firewall misconfiguration, we’ll investigate.


#5

Considering that it resolves from Google and my local DNS, probably something at your end.

Thanks for looking into this.

kl