nanog mailing list archives

DNSSEC failures for www.cdc.gov

From: "John R. Levine" <johnl () iecc com>
Date: 14 Jan 2021 19:04:31 -0500

I see that www.cdc.gov is a CNAME for www.akam.cdc.gov. which in turn is aCNAME for www.cdc.gov.edgekey.net.


But it appears that while www.cdc.gov is signed, www.akam.cdc.gov in
the same zone on the same server is not.  Huh?  What?

$ dig @ns1.cdc.gov www.cdc.gov +dnssec
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cdc.gov.                   IN      A

;; ANSWER SECTION:
www.cdc.gov.            300     IN      CNAME   www.akam.cdc.gov.
www.cdc.gov.            300     IN      RRSIG   CNAME 7 3 300 20210119032636 20210109024411 9155 cdc.gov. 
FxxFahuaCEw8gUXH6CuiqUgXWzPDkQlY0HTtJwjMAVMS7Lc3VOelfkmT hT/ZmDpdUiYsNr7YXMUNhF4Ii/49lu5AGTxwlu9dtX66HSK+8vf/FnzF 
XUZrC0UXFEPLl0K+pmdLEiUpiHDq3lIwAfKNmiOrwlPvtXttqDs+JC1d w6A=
www.akam.cdc.gov.       3600    IN      CNAME   www.cdc.gov.edgekey.net.


$ dig @ns1.cdc.gov www.akam.cdc.gov +dnssec
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59380
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.akam.cdc.gov.              IN      A

;; ANSWER SECTION:
www.akam.cdc.gov.       3600    IN      CNAME   www.cdc.gov.edgekey.net.


Regards,
John Levine, johnl () taugh com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Current thread:

DNSSEC failures for www.cdc.gov John R. Levine (Jan 14)
- Re: DNSSEC failures for www.cdc.gov Mark Andrews (Jan 14)