medicare.gov / cms.gov DNSSEC Validation Failures
I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation. Emails to hostmaster, webmaster, and postmaster bounce, as does dnsadmin@rdcms.eds.com (from their SOA) and dnsadmin@eds.com (from eds.com's WHOIS). WHOIS for .gov is essentially empty. HHS_ITIO_Service_Desk@hhs.gov was suggested to me, but a person at that address said medicare.gov was not their responsibility and did not provide any further contact information. Thanks, Richard
You should contact the us-cert. They will have contacts to help you resolve the issue. Sent from my iThing On Dec 28, 2010, at 7:39 PM, Richard Laager <rlaager@wiktel.com> wrote:
I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation.
Emails to hostmaster, webmaster, and postmaster bounce, as does dnsadmin@rdcms.eds.com (from their SOA) and dnsadmin@eds.com (from eds.com's WHOIS). WHOIS for .gov is essentially empty.
HHS_ITIO_Service_Desk@hhs.gov was suggested to me, but a person at that address said medicare.gov was not their responsibility and did not provide any further contact information.
Thanks, Richard
On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote:
I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation.
Ditto. Similar to uspto.gov not too long ago. Try posting to dns-operations. https://lists.dns-oarc.net/mailman/listinfo/dns-operations Almost certainly some *.gov dns admins lurking there. Cheers, Nate Itkin
On 12/28/2010 8:43 PM, Nate Itkin wrote:
On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote:
I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation. Ditto. Similar to uspto.gov not too long ago.
Try posting to dns-operations. https://lists.dns-oarc.net/mailman/listinfo/dns-operations Almost certainly some *.gov dns admins lurking there.
Cheers, Nate Itkin
There's a thread going on about .gov dnssec changes going on. This could be the source of your issues.
On Dec 28, 2010, at 11:39 PM, William Warren wrote:
On 12/28/2010 8:43 PM, Nate Itkin wrote:
On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote:
I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation. Ditto. Similar to uspto.gov not too long ago.
Try posting to dns-operations. https://lists.dns-oarc.net/mailman/listinfo/dns-operations Almost certainly some *.gov dns admins lurking there.
Cheers, Nate Itkin
There's a thread going on about .gov dnssec changes going on. This could be the source of your issues.
Did you get a contact? If not, I know someone over there. J
On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote:
I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation.
Seeing it still broken, I contacted someone over at Lockheed who works over at CMS. They're escalating to "the appropriate support vendor." -cjp
Ditto. On Dec 29, 2010, at 12:32 PM, Christopher J. Pilkington wrote:
On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote:
I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation.
Seeing it still broken, I contacted someone over at Lockheed who works over at CMS. They're escalating to "the appropriate support vendor."
-cjp
On Wed, 2010-12-29 at 12:32 -0500, Christopher J. Pilkington wrote:
On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote:
I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation.
Seeing it still broken, I contacted someone over at Lockheed who works over at CMS. They're escalating to "the appropriate support vendor."
Thank you both for forwarding this. Some progress has been made: I received a response saying they believed they had it fixed. From my testing, medicare.gov is fixed, but cms.gov is still broken (though in a different way, I think). I replied as such and also requested corrected SOA records. Thanks again, Richard
In message <1293658659.2817.17.camel@watermelon.coderich.net>, Richard Laager w
On Wed, 2010-12-29 at 12:32 -0500, Christopher J. Pilkington wrote:
On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote:
I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation. =20 Seeing it still broken, I contacted someone over at Lockheed who works over at CMS. They're escalating to "the appropriate support vendor."
Thank you both for forwarding this. Some progress has been made:
I received a response saying they believed they had it fixed. From my testing, medicare.gov is fixed, but cms.gov is still broken (though in a different way, I think). I replied as such and also requested corrected SOA records.
Thanks again, Richard
Correct cms.gov is still broken the DS records don't match any of the DNSKEY records. 10672 != 12456 or 27229 Mark ; <<>> DiG 9.6.0-APPLE-P2 <<>> ds cms.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21811 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cms.gov. IN DS ;; ANSWER SECTION: cms.gov. 30410 IN DS 10672 5 1 F11F940C51B90CEB818350F1C7049DD8D54050D8 cms.gov. 30410 IN DS 10672 5 2 A99B67A100FD5EFD0E393FD0C87A6B00424B6A4A032637BC7A11D732 E05AD5BB ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Dec 31 00:12:23 2010 ;; MSG SIZE rcvd: 109 ; <<>> DiG 9.6.0-APPLE-P2 <<>> +cd dnskey +multi cms.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62756 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cms.gov. IN DNSKEY ;; ANSWER SECTION: cms.gov. 349199 IN DNSKEY 256 3 5 ( AwEAAaSsgUpPtXC4xOHnX//jDm4d4xegc9zupcXwICfm 4jeBD+ZNHJeTSrxPnILqDb310Jxy6UDi6ye0ipOWG8z6 b1oOwmF8LRnpWs+bi9X+AivagVXP2xQQe/pev8KrmMFs UcLZ1PX4w+GxNgsoUGre235fv9IM/EfdD33zSNxeA463 ) ; key id = 12456 cms.gov. 349199 IN DNSKEY 257 3 5 ( AwEAAbZbZW7J+O5/tSwDVrGsv5KDDB7HvItDVeQLvdpr GdyJPVlUvs+u87hsCDU96SwmicXTDGdWZFDmj3x22O4p dERsrKoKYpOAoNR3VLgXMToRZmUnaLZf/MqO+H/54PE7 Ij7oorWmPJpIZrYzn28MMIiOkH1xOS7eDL2NZ4q06oDN vSDefX3HA5i2sUcOureEFUo6gUkLFkY/uPJ3y35A8uz1 KvGd4851UAEfq76sawDl+3uKzETDS5grwmK58NbKKB2O 5SAcAS3OxBMriKLUHjsPpwoxKoG5Mc+jA0egIn7tUAQU zzI0HHnspZvZUEbW18uMTFAQX2du2eyGcMwvGEs= ) ; key id = 27229 ;; Query time: 304 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Dec 31 00:12:47 2010 ;; MSG SIZE rcvd: 449 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
participants (7)
-
Christopher J. Pilkington
-
Jared Mauch
-
Joel Esler
-
Mark Andrews
-
Nate Itkin
-
Richard Laager
-
William Warren