[dns-operations] Strange behavior of covid.cdc.gov

Warren Kumari warren at kumari.net
Mon Aug 31 13:40:09 UTC 2020


On Mon, Aug 31, 2020 at 9:23 AM Yasuhiro Orange Morishita / 森下泰宏
<yasuhiro at jprs.co.jp> wrote:
>
> Hi,
>
> Now covid.cdc.gov seems to be DNSSEC validation error.
> Google Public DNS and some DNSSEC-enabled resolvers return SERVFAIL.
> e.g. dig covid.cdc.gov @8.8.8.8
>
> But it seems to be a little bit strange.  The auth servers of cdc.gov
> zone serve unneed (and unsigned) akam.cdc.gov zone.  But they still
> have DS RR for real akam.cdc.gov zone.
>
> This is output of digs.
> <https://www.dropbox.com/s/alfb1ftvzpd6qcv/20200831-covid.cdc.gov.txt>

... and for those of us who prefer the pretty graph version:
https://dnsviz.net/d/covid.cdc.gov/dnssec/

Another thing that is interesting is:
$ dig covid.cdc.gov @ns1.cdc.gov

[SNIP]

;; ANSWER SECTION:
Covid.cdc.gov. 3600 IN CNAME covid.akam.cdc.gov.
covid.akam.cdc.gov. 3600 IN CNAME covid.cdc.gov.edgekey.net.

The uppercase 'C' in the 'Covid.cdc.gov. 3600 IN CNAME
covid.akam.cdc.gov.' from the auth is interesting... Not wrong, just
interesting...

W



>
> -- Orange
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf




More information about the dns-operations mailing list