This has been noted many times over the last 3 months on multiple lists but it looks like the CDC have made things worse recently. All the servers for cdc.gov now return unsigned answers for akam.cdc.gov. Previously only 3 of the six where returning bad answers, the other 3 where returning referrals.
[email protected], If you are going to have parent servers for a zone serve the child zone (akam.cdc.gov) you need to ensure that they serve the CORRECT content. I suggest that you find someone that is competent to configure CDC.GOV's DNS servers as whomever is currently doing it is out of their depth. Mark > On 15 Jan 2021, at 11:04, John R. Levine <[email protected]> wrote: > > I see that www.cdc.gov is a CNAME for www.akam.cdc.gov. which in turn is a > CNAME for www.cdc.gov.edgekey.net. > > But it appears that while www.cdc.gov is signed, www.akam.cdc.gov in > the same zone on the same server is not. Huh? What? > > $ dig @ns1.cdc.gov www.cdc.gov +dnssec > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;www.cdc.gov. IN A > > ;; ANSWER SECTION: > www.cdc.gov. 300 IN CNAME www.akam.cdc.gov. > www.cdc.gov. 300 IN RRSIG CNAME 7 3 300 20210119032636 > 20210109024411 9155 cdc.gov. > FxxFahuaCEw8gUXH6CuiqUgXWzPDkQlY0HTtJwjMAVMS7Lc3VOelfkmT > hT/ZmDpdUiYsNr7YXMUNhF4Ii/49lu5AGTxwlu9dtX66HSK+8vf/FnzF > XUZrC0UXFEPLl0K+pmdLEiUpiHDq3lIwAfKNmiOrwlPvtXttqDs+JC1d w6A= > www.akam.cdc.gov. 3600 IN CNAME www.cdc.gov.edgekey.net. > > > $ dig @ns1.cdc.gov www.akam.cdc.gov +dnssec > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59380 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;www.akam.cdc.gov. IN A > > ;; ANSWER SECTION: > www.akam.cdc.gov. 3600 IN CNAME www.cdc.gov.edgekey.net. > > > Regards, > John Levine, [email protected], Primary Perpetrator of "The Internet for > Dummies", > Please consider the environment before reading this e-mail. https://jl.ly -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
