I see that www.cdc.gov is a CNAME for www.akam.cdc.gov. which in turn is a CNAME for www.cdc.gov.edgekey.net. But it appears that while www.cdc.gov is signed, www.akam.cdc.gov in the same zone on the same server is not. Huh? What? $ dig @ns1.cdc.gov www.cdc.gov +dnssec ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.cdc.gov. IN A ;; ANSWER SECTION: www.cdc.gov. 300 IN CNAME www.akam.cdc.gov. www.cdc.gov. 300 IN RRSIG CNAME 7 3 300 20210119032636 20210109024411 9155 cdc.gov. FxxFahuaCEw8gUXH6CuiqUgXWzPDkQlY0HTtJwjMAVMS7Lc3VOelfkmT hT/ZmDpdUiYsNr7YXMUNhF4Ii/49lu5AGTxwlu9dtX66HSK+8vf/FnzF XUZrC0UXFEPLl0K+pmdLEiUpiHDq3lIwAfKNmiOrwlPvtXttqDs+JC1d w6A= www.akam.cdc.gov. 3600 IN CNAME www.cdc.gov.edgekey.net. $ dig @ns1.cdc.gov www.akam.cdc.gov +dnssec ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59380 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.akam.cdc.gov. IN A ;; ANSWER SECTION: www.akam.cdc.gov. 3600 IN CNAME www.cdc.gov.edgekey.net. Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
This has been noted many times over the last 3 months on multiple lists but it looks like the CDC have made things worse recently. All the servers for cdc.gov now return unsigned answers for akam.cdc.gov. Previously only 3 of the six where returning bad answers, the other 3 where returning referrals. ResponsibleDisclosure@hhs.gov, If you are going to have parent servers for a zone serve the child zone (akam.cdc.gov) you need to ensure that they serve the CORRECT content. I suggest that you find someone that is competent to configure CDC.GOV's DNS servers as whomever is currently doing it is out of their depth. Mark
On 15 Jan 2021, at 11:04, John R. Levine <johnl@iecc.com> wrote:
I see that www.cdc.gov is a CNAME for www.akam.cdc.gov. which in turn is a CNAME for www.cdc.gov.edgekey.net.
But it appears that while www.cdc.gov is signed, www.akam.cdc.gov in the same zone on the same server is not. Huh? What?
$ dig @ns1.cdc.gov www.cdc.gov +dnssec ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.cdc.gov. IN A
;; ANSWER SECTION: www.cdc.gov. 300 IN CNAME www.akam.cdc.gov. www.cdc.gov. 300 IN RRSIG CNAME 7 3 300 20210119032636 20210109024411 9155 cdc.gov. FxxFahuaCEw8gUXH6CuiqUgXWzPDkQlY0HTtJwjMAVMS7Lc3VOelfkmT hT/ZmDpdUiYsNr7YXMUNhF4Ii/49lu5AGTxwlu9dtX66HSK+8vf/FnzF XUZrC0UXFEPLl0K+pmdLEiUpiHDq3lIwAfKNmiOrwlPvtXttqDs+JC1d w6A= www.akam.cdc.gov. 3600 IN CNAME www.cdc.gov.edgekey.net.
$ dig @ns1.cdc.gov www.akam.cdc.gov +dnssec ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59380 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.akam.cdc.gov. IN A
;; ANSWER SECTION: www.akam.cdc.gov. 3600 IN CNAME www.cdc.gov.edgekey.net.
Regards, John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
participants (2)
-
John R. Levine
-
Mark Andrews