nanog mailing list archives

Re: DNSSEC failures for www.cdc.gov

From: Mark Andrews <marka () isc org>
Date: Fri, 15 Jan 2021 11:57:19 +1100

This has been noted many times over the last 3 months on multiple lists but it looks like the CDC have made things 
worse recently.  All the servers for cdc.gov now return unsigned answers for akam.cdc.gov.  Previously only 3 of the 
six where returning bad answers, the other 3 where returning referrals.

ResponsibleDisclosure () hhs gov,
If you are going to have parent servers for a zone serve the child zone (akam.cdc.gov) you need to ensure that they 
serve the CORRECT content.

I suggest that you find someone that is competent to configure CDC.GOV's DNS servers as whomever is currently doing it 
is out of their depth.

Mark

On 15 Jan 2021, at 11:04, John R. Levine <johnl () iecc com> wrote:

I see that www.cdc.gov is a CNAME for www.akam.cdc.gov. which in turn is a CNAME for www.cdc.gov.edgekey.net.

But it appears that while www.cdc.gov is signed, www.akam.cdc.gov in
the same zone on the same server is not.  Huh?  What?

$ dig @ns1.cdc.gov www.cdc.gov +dnssec
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27760
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cdc.gov.                 IN      A

;; ANSWER SECTION:
www.cdc.gov.          300     IN      CNAME   www.akam.cdc.gov.
www.cdc.gov.          300     IN      RRSIG   CNAME 7 3 300 20210119032636 20210109024411 9155 cdc.gov. 
FxxFahuaCEw8gUXH6CuiqUgXWzPDkQlY0HTtJwjMAVMS7Lc3VOelfkmT hT/ZmDpdUiYsNr7YXMUNhF4Ii/49lu5AGTxwlu9dtX66HSK+8vf/FnzF 
XUZrC0UXFEPLl0K+pmdLEiUpiHDq3lIwAfKNmiOrwlPvtXttqDs+JC1d w6A=
www.akam.cdc.gov.     3600    IN      CNAME   www.cdc.gov.edgekey.net.


$ dig @ns1.cdc.gov www.akam.cdc.gov +dnssec
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59380
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.akam.cdc.gov.            IN      A

;; ANSWER SECTION:
www.akam.cdc.gov.     3600    IN      CNAME   www.cdc.gov.edgekey.net.


Regards,
John Levine, johnl () taugh com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org

Current thread:

DNSSEC failures for www.cdc.gov John R. Levine (Jan 14)
- Re: DNSSEC failures for www.cdc.gov Mark Andrews (Jan 14)