This has been noted many times over the last 3 months on multiple lists but it
looks like the CDC have made things worse recently. All the servers for
cdc.gov now return unsigned answers for akam.cdc.gov. Previously only 3 of the
six where returning bad answers, the other 3 where returning referrals.
responsibledisclos...@hhs.gov,
If you are going to have parent servers for a zone serve the child zone
(akam.cdc.gov) you need to ensure that they serve the CORRECT content.
I suggest that you find someone that is competent to configure CDC.GOV's DNS
servers as whomever is currently doing it is out of their depth.
Mark
> On 15 Jan 2021, at 11:04, John R. Levine wrote:
>
> I see that www.cdc.gov is a CNAME for www.akam.cdc.gov. which in turn is a
> CNAME for www.cdc.gov.edgekey.net.
>
> But it appears that while www.cdc.gov is signed, www.akam.cdc.gov in
> the same zone on the same server is not. Huh? What?
>
> $ dig @ns1.cdc.gov www.cdc.gov +dnssec
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.cdc.gov. IN A
>
> ;; ANSWER SECTION:
> www.cdc.gov. 300 IN CNAME www.akam.cdc.gov.
> www.cdc.gov. 300 IN RRSIG CNAME 7 3 300 20210119032636
> 20210109024411 9155 cdc.gov.
> FxxFahuaCEw8gUXH6CuiqUgXWzPDkQlY0HTtJwjMAVMS7Lc3VOelfkmT
> hT/ZmDpdUiYsNr7YXMUNhF4Ii/49lu5AGTxwlu9dtX66HSK+8vf/FnzF
> XUZrC0UXFEPLl0K+pmdLEiUpiHDq3lIwAfKNmiOrwlPvtXttqDs+JC1d w6A=
> www.akam.cdc.gov. 3600IN CNAME www.cdc.gov.edgekey.net.
>
>
> $ dig @ns1.cdc.gov www.akam.cdc.gov +dnssec
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59380
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.akam.cdc.gov.IN A
>
> ;; ANSWER SECTION:
> www.akam.cdc.gov. 3600IN CNAME www.cdc.gov.edgekey.net.
>
>
> Regards,
> John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for
> Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org