subject:"\[dns\-operations\] Strange behavior of covid.cdc.gov"

Re: [dns-operations] Strange behavior of covid.cdc.gov

2020-09-01 Thread Yasuhiro Orange Morishita / 森下泰宏

Mark-san,

> Thankfully cdc.gov is also served by auth00.ns.uu.net and auth100.ns.uu.net
> and they aren’t serving a incomplete version of akam.cdc.gov.

Certainly, cdc.gov has 5 NSes.  And both uu.net servers return correct
answer for covid.cdc.gov/A query.

I added two dig outputs into my text, thank you.
<https://www.dropbox.com/s/alfb1ftvzpd6qcv/20200831-covid.cdc.gov.txt>

I think this case is so curious and these digs should be preserved,
like an appldnld's case.
<https://www.dropbox.com/s/nvw46gtxupggo1e/20120314-appldnld.apple.com.txt>

-- Orange

From: Mark Andrews 
Subject: Re: [dns-operations] Strange behavior of covid.cdc.gov
Date: Tue, 1 Sep 2020 14:22:16 +1000

> Thankfully cdc.gov is also served by auth00.ns.uu.net and auth100.ns.uu.net
> and they aren’t serving a incomplete version of akam.cdc.gov.  Recursive
> servers will eventually get a valid referral rather than bogus (unsigned)
> answers from ns[123].cdc.gov for akam.cdc.gov.
> 
> Mark
> 
>> On 1 Sep 2020, at 00:47, Stephane Bortzmeyer  wrote:
>> 
>> On Mon, Aug 31, 2020 at 10:12:04PM +0900,
>> Yasuhiro Orange Morishita / 森下泰宏  wrote 
>> a message of 18 lines which said:
>> 
>>> But it seems to be a little bit strange.  The auth servers of cdc.gov
>>> zone serve unneed (and unsigned) akam.cdc.gov zone.  But they still
>>> have DS RR for real akam.cdc.gov zone.
>> 
>> They also do not return a proper delegation:
>> 
>> % dig +dnssec +norec @icdc-us-ns2.cdc.gov. A akam.cdc.gov 
>> ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +dnssec +norec 
>> @icdc-us-ns2.cdc.gov. A akam.cdc.gov
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43497
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ; COOKIE: 70d47b392dfb22d2662352815f4d0d3fe1c90df99f508386 (good)
>> ;; QUESTION SECTION:
>> ;akam.cdc.gov.   IN A
>> 
>> ;; AUTHORITY SECTION:
>> akam.cdc.gov.3600 IN SOA a1-43.akam.net. adhelpdsk.cdc.gov. (
>>  612558384  ; serial
>>  300; refresh (5 minutes)
>>  180; retry (3 minutes)
>>  1209600; expire (2 weeks)
>>  3600   ; minimum (1 hour)
>>  )
>> 
>> ;; Query time: 98 msec
>> ;; SERVER: 198.246.96.92#53(198.246.96.92)
>> ;; WHEN: Mon Aug 31 16:46:23 CEST 2020
>> ;; MSG SIZE  rcvd: 129
>> 
>> % dig +dnssec +norec @icdc-us-ns2.cdc.gov. DNSKEY akam.cdc.gov
>> ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +dnssec +norec 
>> @icdc-us-ns2.cdc.gov. DNSKEY akam.cdc.gov
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44336
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ; COOKIE: 2e27a9b171983390a21696a65f4d0d54710de953e8dd107b (good)
>> ;; QUESTION SECTION:
>> ;akam.cdc.gov.   IN DNSKEY
>> 
>> ;; AUTHORITY SECTION:
>> akam.cdc.gov.3600 IN SOA a1-43.akam.net. adhelpdsk.cdc.gov. (
>>  612558384  ; serial
>>  300; refresh (5 minutes)
>>  180; retry (3 minutes)
>>  1209600; expire (2 weeks)
>>  3600   ; minimum (1 hour)
>>  )
>> 
>> ;; Query time: 98 msec
>> ;; SERVER: 198.246.96.92#53(198.246.96.92)
>> ;; WHEN: Mon Aug 31 16:46:44 CEST 2020
>> ;; MSG SIZE  rcvd: 129
>> 
>> Whuch may explain the strange error messages of DNSviz (the IP
>> addresses are for the parent zone).
>> ___
>> dns-operations mailing list
>> dns-operations@lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
> 
> 
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Strange behavior of covid.cdc.gov

2020-08-31 Thread Mark Andrews

Thankfully cdc.gov is also served by auth00.ns.uu.net and auth100.ns.uu.net
and they aren’t serving a incomplete version of akam.cdc.gov.  Recursive
servers will eventually get a valid referral rather than bogus (unsigned)
answers from ns[123].cdc.gov for akam.cdc.gov.

Mark

> On 1 Sep 2020, at 00:47, Stephane Bortzmeyer  wrote:
> 
> On Mon, Aug 31, 2020 at 10:12:04PM +0900,
> Yasuhiro Orange Morishita / 森下泰宏  wrote 
> a message of 18 lines which said:
> 
>> But it seems to be a little bit strange.  The auth servers of cdc.gov
>> zone serve unneed (and unsigned) akam.cdc.gov zone.  But they still
>> have DS RR for real akam.cdc.gov zone.
> 
> They also do not return a proper delegation:
> 
> % dig +dnssec +norec @icdc-us-ns2.cdc.gov. A akam.cdc.gov 
> ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +dnssec +norec 
> @icdc-us-ns2.cdc.gov. A akam.cdc.gov
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43497
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: 70d47b392dfb22d2662352815f4d0d3fe1c90df99f508386 (good)
> ;; QUESTION SECTION:
> ;akam.cdc.gov.IN A
> 
> ;; AUTHORITY SECTION:
> akam.cdc.gov. 3600 IN SOA a1-43.akam.net. adhelpdsk.cdc.gov. (
>   612558384  ; serial
>   300; refresh (5 minutes)
>   180; retry (3 minutes)
>   1209600; expire (2 weeks)
>   3600   ; minimum (1 hour)
>   )
> 
> ;; Query time: 98 msec
> ;; SERVER: 198.246.96.92#53(198.246.96.92)
> ;; WHEN: Mon Aug 31 16:46:23 CEST 2020
> ;; MSG SIZE  rcvd: 129
> 
> % dig +dnssec +norec @icdc-us-ns2.cdc.gov. DNSKEY akam.cdc.gov
> ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +dnssec +norec 
> @icdc-us-ns2.cdc.gov. DNSKEY akam.cdc.gov
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44336
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ; COOKIE: 2e27a9b171983390a21696a65f4d0d54710de953e8dd107b (good)
> ;; QUESTION SECTION:
> ;akam.cdc.gov.IN DNSKEY
> 
> ;; AUTHORITY SECTION:
> akam.cdc.gov. 3600 IN SOA a1-43.akam.net. adhelpdsk.cdc.gov. (
>   612558384  ; serial
>   300; refresh (5 minutes)
>   180; retry (3 minutes)
>   1209600; expire (2 weeks)
>   3600   ; minimum (1 hour)
>   )
> 
> ;; Query time: 98 msec
> ;; SERVER: 198.246.96.92#53(198.246.96.92)
> ;; WHEN: Mon Aug 31 16:46:44 CEST 2020
> ;; MSG SIZE  rcvd: 129
> 
> Whuch may explain the strange error messages of DNSviz (the IP
> addresses are for the parent zone).
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org


___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Strange behavior of covid.cdc.gov

2020-08-31 Thread Stephane Bortzmeyer

On Mon, Aug 31, 2020 at 10:12:04PM +0900,
 Yasuhiro Orange Morishita / 森下泰宏  wrote 
 a message of 18 lines which said:

> But it seems to be a little bit strange.  The auth servers of cdc.gov
> zone serve unneed (and unsigned) akam.cdc.gov zone.  But they still
> have DS RR for real akam.cdc.gov zone.

They also do not return a proper delegation:

% dig +dnssec +norec @icdc-us-ns2.cdc.gov. A akam.cdc.gov 
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +dnssec +norec 
@icdc-us-ns2.cdc.gov. A akam.cdc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43497
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 70d47b392dfb22d2662352815f4d0d3fe1c90df99f508386 (good)
;; QUESTION SECTION:
;akam.cdc.gov.  IN A

;; AUTHORITY SECTION:
akam.cdc.gov.   3600 IN SOA a1-43.akam.net. adhelpdsk.cdc.gov. (
612558384  ; serial
300; refresh (5 minutes)
180; retry (3 minutes)
1209600; expire (2 weeks)
3600   ; minimum (1 hour)
)

;; Query time: 98 msec
;; SERVER: 198.246.96.92#53(198.246.96.92)
;; WHEN: Mon Aug 31 16:46:23 CEST 2020
;; MSG SIZE  rcvd: 129

% dig +dnssec +norec @icdc-us-ns2.cdc.gov. DNSKEY akam.cdc.gov
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +dnssec +norec 
@icdc-us-ns2.cdc.gov. DNSKEY akam.cdc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44336
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 2e27a9b171983390a21696a65f4d0d54710de953e8dd107b (good)
;; QUESTION SECTION:
;akam.cdc.gov.  IN DNSKEY

;; AUTHORITY SECTION:
akam.cdc.gov.   3600 IN SOA a1-43.akam.net. adhelpdsk.cdc.gov. (
612558384  ; serial
300; refresh (5 minutes)
180; retry (3 minutes)
1209600; expire (2 weeks)
3600   ; minimum (1 hour)
)

;; Query time: 98 msec
;; SERVER: 198.246.96.92#53(198.246.96.92)
;; WHEN: Mon Aug 31 16:46:44 CEST 2020
;; MSG SIZE  rcvd: 129

Whuch may explain the strange error messages of DNSviz (the IP
addresses are for the parent zone).
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Strange behavior of covid.cdc.gov

2020-08-31 Thread Warren Kumari

On Mon, Aug 31, 2020 at 9:23 AM Yasuhiro Orange Morishita / 森下泰宏
 wrote:
>
> Hi,
>
> Now covid.cdc.gov seems to be DNSSEC validation error.
> Google Public DNS and some DNSSEC-enabled resolvers return SERVFAIL.
> e.g. dig covid.cdc.gov @8.8.8.8
>
> But it seems to be a little bit strange.  The auth servers of cdc.gov
> zone serve unneed (and unsigned) akam.cdc.gov zone.  But they still
> have DS RR for real akam.cdc.gov zone.
>
> This is output of digs.
> 

... and for those of us who prefer the pretty graph version:
https://dnsviz.net/d/covid.cdc.gov/dnssec/

Another thing that is interesting is:
$ dig covid.cdc.gov @ns1.cdc.gov

[SNIP]

;; ANSWER SECTION:
Covid.cdc.gov. 3600 IN CNAME covid.akam.cdc.gov.
covid.akam.cdc.gov. 3600 IN CNAME covid.cdc.gov.edgekey.net.

The uppercase 'C' in the 'Covid.cdc.gov. 3600 IN CNAME
covid.akam.cdc.gov.' from the auth is interesting... Not wrong, just
interesting...

W



>
> -- Orange
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] Strange behavior of covid.cdc.gov

2020-08-31 Thread Yasuhiro Orange Morishita / 森下泰宏

Hi,

Now covid.cdc.gov seems to be DNSSEC validation error.
Google Public DNS and some DNSSEC-enabled resolvers return SERVFAIL.
e.g. dig covid.cdc.gov @8.8.8.8

But it seems to be a little bit strange.  The auth servers of cdc.gov
zone serve unneed (and unsigned) akam.cdc.gov zone.  But they still
have DS RR for real akam.cdc.gov zone.

This is output of digs.


-- Orange
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Strange behavior of covid.cdc.gov

Re: [dns-operations] Strange behavior of covid.cdc.gov

Re: [dns-operations] Strange behavior of covid.cdc.gov

Re: [dns-operations] Strange behavior of covid.cdc.gov

[dns-operations] Strange behavior of covid.cdc.gov

5 matches

Site Navigation

Mail list logo

Footer information