[dns-operations] Strange behavior of www.cdc.gov (was: Strange behavior of covid.cdc.gov)
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Dec 25 23:15:04 UTC 2020
On Thu, Dec 24, 2020 at 07:12:35PM -0500, Robert Edmonds wrote:
> I'm also seeing intermittent SERVFAILs with www.cdc.gov. Possibly this a
> recent change due to a change in the CNAME target. I don't recall seeing
> SERVFAILs for www.cdc.gov before this month, but I could be wrong.
Welcome to the wonderful world of DNS balancers, cutting every corner
they believe they can get away with, leaving it to the world at large to
implement work-arounds. Even www.verisign.com is not entirely kosher:
https://dnsviz.net/d/www.verisign.com/X-VoNA/dnssec/
The parent verisign.com zone delegates www.verisign.com to some
load-balancers that don't bother returning NS records for the zone apex.
Another long-standing case is "mail.protection.outlook.com", where's
still no sign of EDNS support, and queries for e.g. TLSA RRs return
NOTIMP (rather than NODATA or, in this case, NXDOMAIN):
https://dnsviz.net/d/_25._tcp.nist-gov.mail.protection.outlook.com/dnssec/
--
Viktor.
More information about the dns-operations
mailing list