I see that www.cdc.gov is a CNAME for www.akam.cdc.gov. which in turn is a CNAME for www.cdc.gov.edgekey.net. But it appears that while www.cdc.gov is signed, www.akam.cdc.gov in the same zone on the same server is not. Huh? What? $ dig @ns1.cdc.gov www.cdc.gov +dnssec ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.cdc.gov. IN A ;; ANSWER SECTION: www.cdc.gov. 300 IN CNAME www.akam.cdc.gov. www.cdc.gov. 300 IN RRSIG CNAME 7 3 300 20210119032636 20210109024411 9155 cdc.gov. FxxFahuaCEw8gUXH6CuiqUgXWzPDkQlY0HTtJwjMAVMS7Lc3VOelfkmT hT/ZmDpdUiYsNr7YXMUNhF4Ii/49lu5AGTxwlu9dtX66HSK+8vf/FnzF XUZrC0UXFEPLl0K+pmdLEiUpiHDq3lIwAfKNmiOrwlPvtXttqDs+JC1d w6A= www.akam.cdc.gov. 3600 IN CNAME www.cdc.gov.edgekey.net. $ dig @ns1.cdc.gov www.akam.cdc.gov +dnssec ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59380 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.akam.cdc.gov. IN A ;; ANSWER SECTION: www.akam.cdc.gov. 3600 IN CNAME www.cdc.gov.edgekey.net. Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly