On Sat, Jul 27, 2024 at 10:05:31AM +1000, Viktor Dukhovni wrote:
> On Fri, Jul 26, 2024 at 04:53:10PM -0500, Richard Laager via dns-operations
> wrote:
>
> > I'm looking for a cdc.gov contact. I've already tried [email protected] and
> > [email protected] with no luck.
>
> The SOA RR for akam.cdc.gov (problem zone) lists as its "rname":
>
> [email protected]
>
> And the GOV opendata lists a security contact for cdc.gov of:
>
> [email protected]
>
> > According to a BIND developer:
> >
> > "simply by querying for cdc.gov/NS first and only then querying for
> > www.cdc.gov/A - the result will be a SERVFAIL... That's because the
> > authoritative server set is different in gov. and in cdc.gov. and, in
> > particular, all of the servers listed in the NS RRset at the child side of
> > the zone cut return REFUSED to all queries for akam.cdc.gov and its
> > subdomains. That's why as soon as a resolver caches the child-side NS
> > RRset, it will not be able to resolve anything inside the akam.cdc.gov zone"
>
> This is correct, only the parent-side NS RRset includes nameservers that
> are willing to delegate "akam.cdc.gov".
I would say that I lightly consider this a bug in dig which won't report
the response received:
pi@raspberrypi:~ $ dig +trace www.akam.cdc.gov.
; <<>> DiG 9.20.0-Debian <<>> +trace www.akam.cdc.gov.
;; global options: +cmd
. 25712 IN NS d.root-servers.net.
. 25712 IN NS c.root-servers.net.
. 25712 IN NS f.root-servers.net.
. 25712 IN NS j.root-servers.net.
. 25712 IN NS k.root-servers.net.
. 25712 IN NS m.root-servers.net.
. 25712 IN NS b.root-servers.net.
. 25712 IN NS a.root-servers.net.
. 25712 IN NS g.root-servers.net.
. 25712 IN NS e.root-servers.net.
. 25712 IN NS i.root-servers.net.
. 25712 IN NS h.root-servers.net.
. 25712 IN NS l.root-servers.net.
. 25712 IN RRSIG NS 8 0 518400 20240811050000
20240729040000 20038 . FGSl16unUNVC74FO1dPo6eDKysS+GHYoJCR0G2lbDJNDLZgeqVm/Y/vP
PPG9AlTtjyn6/1ZhglFVWk6BEv4IUbHx/iD2ato7L+DlmiC2StkEecCq
Uf3jfT7vnJ6Nhvwok7AHHCEAzUb6JK6iKkcZCfFNw84oqIMSUtsHZaSe
2LGrbkiRmfmIxC1dIeMTkXSlFPiPSOAe/y+bOF5yZ4OzOJe5LA8aS/e7
CwILaycLx+j4wafGKY+xTX+cIoW3+Pa9ZUMD3tgzsf5Rn3wLtAvfeu6J
txun+DdMi9tc6EQWClhVqk3J19RIxat3zR4jtajIOrdXpplmEvNMmZsM uIbVqA==
;; Received 525 bytes from 9.9.9.9#53(9.9.9.9) in 3 ms
gov. 172800 IN NS a.ns.gov.
gov. 172800 IN NS d.ns.gov.
gov. 172800 IN NS c.ns.gov.
gov. 172800 IN NS b.ns.gov.
gov. 86400 IN DS 2536 13 2
0BAF26B7BBF313A859046FD3B1EE49DDFBA33934CFB3E717C21E2A29 35C2F259
gov. 86400 IN RRSIG DS 8 1 86400 20240811170000
20240729160000 20038 . Q0tmikQf/3GA6jhojagHH4zT9RtouE5HFg93dLidPKy2m6qDm/zxhc6k
x0VOMVAShRllJTc98f6ipB0WtqAKK1+AeUcB4pHtAixzi1gdNQF5riKE
MyOfEAtgslKPbh0ngjQCtUXOS50dgSTkjY6l6F3umGjl38ZQhwrZappp
278LQEgJ6FoNiLUOBbro9JV98Akkk7NU3PV8+VnpJZ7N+Id1lSBqMZP0
WxomRnD7T+MCrcIoB1q61nyYQ86mumtl8uj9EVRdc9s93ISwrqSq194Y
Rw+5UNpA9AvVCIC96wCf8dd7ASljAZb5r9bftMCrQxpBjZpeA3xiEqa1 HSKdaA==
;; Received 629 bytes from 2001:7fd::1#53(k.root-servers.net) in 43 ms
cdc.gov. 10800 IN NS auth00.ns.uu.net.
cdc.gov. 10800 IN NS auth100.ns.uu.net.
cdc.gov. 10800 IN NS ns1.cdc.gov.
cdc.gov. 10800 IN NS ns2.cdc.gov.
cdc.gov. 10800 IN NS ns3.cdc.gov.
cdc.gov. 3600 IN DS 21719 8 2
A88D11ECFE2889312EB2F84D4BA9DC72A1750FD4AC2F5BE97D69B768 1A564AF0
cdc.gov. 3600 IN RRSIG DS 13 2 3600 20240730195315
20240728175315 35496 gov.
7oX/5O69fpCRz7j9MqHL4jFbJxK2eOiTGxQ0iVX6AW6yYzN8EhyOfO24
mkrZ1kEtd7X02yq4o4FIYuKXuvdThQ==
;; Received 346 bytes from 199.33.233.1#53(d.ns.gov) in 3 ms
;; Received 73 bytes from 198.246.125.10#53(ns3.cdc.gov) in 27 ms
This does obviously point to where the issue is, there is a right way to
do the CNAME etc, if nobody resolves it soon I'll try to push it
through internal contacts towards the account team, but you should also
be able to reach out to the DHS CERT helpdesk to route the inquiry over
there as well.
- Jared
--
Jared Mauch | pgp key available via finger from [email protected]
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
