Missing AD bit on some responses that validate elsewhere (8.8.8.8)

I’m noticing the AD bit is missing for certain responses to mail.mil queries. The same queries return AD bit from google and multiple other validating resolvers I use. Any idea why?

dig @8.8.8.8 mail.mil mx
dig @1.1.1.1 mail.mil mx

dig @1.1.1.1 www.disa.mil

Thank you,
Peter

Given that a query to 1.1.1.1 will not return any DNSSEC data, it appears likely that DNSSEC validation has been specifically disabled for mail.mil (when validation is disabled, the Knot resolver used for 1.1.1.1 will not send the DNSSEC_OK flag to authoritative servers and thus cannot provide that data to its own clients even if it is requested).

dig +dnssec @1.1.1.1 mail.mil

The reason for such a negative trust anchor is only known to Cloudflare, but it may have been related to other problems with DNSSEC validation for the domain. One possible cause might be that the DNSKEY response for mail.mil is 1497 bytes long (the IPv4 UDP response would then have an IP packet size of 1525, which will definitely require fragmentation).

dig +dnssec @8.8.8.8 mail.mil dnskey

I don’t see any other typical reasons for disabling DNSSEC validation, such as overbroad NSEC3 replies that prove nonexistence of records that do exist, but it is possible that there are other issues, as the .MIL domains have a pretty long track record of unusual behaviors related to DNSSEC.

2 Likes

One thing you could do to reduce the response size for the mail.mil/DNSKEY query would be to configure your name servers not to sign the DNSKEY RRSet with the ZSK:

$ dig +noall +answer +stats +nocrypto +dnssec mail.mil dnskey @8.8.8.8
mail.mil.		1400	IN	DNSKEY	257 3 8 [key id = 30919]
mail.mil.		1400	IN	DNSKEY	257 3 8 [key id = 28882]
mail.mil.		1400	IN	DNSKEY	256 3 8 [key id = 40044]
mail.mil.		1400	IN	RRSIG	DNSKEY 8 2 3600 20190801134159 20190702134159 28882 mail.mil. [omitted]
mail.mil.		1400	IN	RRSIG	DNSKEY 8 2 3600 20190801134159 20190702134159 30919 mail.mil. [omitted]
mail.mil.		1400	IN	RRSIG	DNSKEY 8 2 3600 20190801134159 20190702134159 40044 mail.mil. [omitted]
;; Query time: 56 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 30 09:01:25 EDT 2019
;; MSG SIZE  rcvd: 1497

Removing the unnecessary and redundant RRSIG for the key id 40044 would reduce the size of the response enough that it would probably fit in a single IPv4 UDP datagram.

If this pointless RRSIG is being generated by DNSSEC signing software that you bought from a vendor (I suspect it is), you should file a feature request with them to have the zone signing omit the ZSK signature for the DNSKEY RRSet, since only the KSK signatures are required or used in validating that RRSet.