yeah. its sad. looked like a poorly timed key roll for akam.cdc.gov dnskey. hope it doesnt make the idiot "dream team" inside USG just say "turn dnssec off".
On Fri, Dec 25, 2020 at 3:15 PM Viktor Dukhovni <[email protected]> wrote: > On Thu, Dec 24, 2020 at 07:12:35PM -0500, Robert Edmonds wrote: > > > I'm also seeing intermittent SERVFAILs with www.cdc.gov. Possibly this a > > recent change due to a change in the CNAME target. I don't recall seeing > > SERVFAILs for www.cdc.gov before this month, but I could be wrong. > > Welcome to the wonderful world of DNS balancers, cutting every corner > they believe they can get away with, leaving it to the world at large to > implement work-arounds. Even www.verisign.com is not entirely kosher: > > https://dnsviz.net/d/www.verisign.com/X-VoNA/dnssec/ > > The parent verisign.com zone delegates www.verisign.com to some > load-balancers that don't bother returning NS records for the zone apex. > > Another long-standing case is "mail.protection.outlook.com", where's > still no sign of EDNS support, and queries for e.g. TLSA RRs return > NOTIMP (rather than NODATA or, in this case, NXDOMAIN): > > > https://dnsviz.net/d/_25._tcp.nist-gov.mail.protection.outlook.com/dnssec/ > > -- > Viktor. > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
