Re: DNSSEC failures for www.cdc.gov

[Mark Andrews]

This has been noted many times over the last 3 months on multiple lists but it 
looks like the CDC have made things worse recently.  All the servers for 
cdc.gov now return unsigned answers for akam.cdc.gov.  Previously only 3 of the 
six where returning bad answers, the other 3 where returning referrals.

responsibledisclos...@hhs.gov,
If you are going to have parent servers for a zone serve the child zone 
(akam.cdc.gov) you need to ensure that they serve the CORRECT content.

I suggest that you find someone that is competent to configure CDC.GOV's DNS 
servers as whomever is currently doing it is out of their depth.

Mark

> On 15 Jan 2021, at 11:04, John R. Levine  wrote:
> 
> I see that www.cdc.gov is a CNAME for www.akam.cdc.gov. which in turn is a 
> CNAME for www.cdc.gov.edgekey.net.
> 
> But it appears that while www.cdc.gov is signed, www.akam.cdc.gov in
> the same zone on the same server is not.  Huh?  What?
> 
> $ dig @ns1.cdc.gov www.cdc.gov +dnssec
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.cdc.gov. IN  A
> 
> ;; ANSWER SECTION:
> www.cdc.gov.  300 IN  CNAME   www.akam.cdc.gov.
> www.cdc.gov.  300 IN  RRSIG   CNAME 7 3 300 20210119032636 
> 20210109024411 9155 cdc.gov. 
> FxxFahuaCEw8gUXH6CuiqUgXWzPDkQlY0HTtJwjMAVMS7Lc3VOelfkmT 
> hT/ZmDpdUiYsNr7YXMUNhF4Ii/49lu5AGTxwlu9dtX66HSK+8vf/FnzF 
> XUZrC0UXFEPLl0K+pmdLEiUpiHDq3lIwAfKNmiOrwlPvtXttqDs+JC1d w6A=
> www.akam.cdc.gov. 3600IN  CNAME   www.cdc.gov.edgekey.net.
> 
> 
> $ dig @ns1.cdc.gov www.akam.cdc.gov +dnssec
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59380
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;www.akam.cdc.gov.IN  A
> 
> ;; ANSWER SECTION:
> www.akam.cdc.gov. 3600IN  CNAME   www.cdc.gov.edgekey.net.
> 
> 
> Regards,
> John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for 
> Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

DNSSEC failures for www.cdc.gov

[John R. Levine]

I see that www.cdc.gov is a CNAME for www.akam.cdc.gov. which in turn is a 
CNAME for www.cdc.gov.edgekey.net.


But it appears that while www.cdc.gov is signed, www.akam.cdc.gov in
the same zone on the same server is not.  Huh?  What?

$ dig @ns1.cdc.gov www.cdc.gov +dnssec
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cdc.gov.   IN  A

;; ANSWER SECTION:
www.cdc.gov.300 IN  CNAME   www.akam.cdc.gov.
www.cdc.gov.300 IN  RRSIG   CNAME 7 3 300 20210119032636 
20210109024411 9155 cdc.gov. 
FxxFahuaCEw8gUXH6CuiqUgXWzPDkQlY0HTtJwjMAVMS7Lc3VOelfkmT 
hT/ZmDpdUiYsNr7YXMUNhF4Ii/49lu5AGTxwlu9dtX66HSK+8vf/FnzF 
XUZrC0UXFEPLl0K+pmdLEiUpiHDq3lIwAfKNmiOrwlPvtXttqDs+JC1d w6A=
www.akam.cdc.gov.   3600IN  CNAME   www.cdc.gov.edgekey.net.


$ dig @ns1.cdc.gov www.akam.cdc.gov +dnssec
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59380
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.akam.cdc.gov.  IN  A

;; ANSWER SECTION:
www.akam.cdc.gov.   3600IN  CNAME   www.cdc.gov.edgekey.net.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly