[dns-operations] Strange behavior of www.cdc.gov (was: Strange behavior of covid.cdc.gov)

Richard Lamb slamb at xtcn.com
Tue Dec 29 05:12:38 UTC 2020


yeah. its sad. looked like a poorly timed key roll for akam.cdc.gov dnskey.
hope it doesnt make the idiot "dream team" inside USG just say "turn dnssec
off".


On Fri, Dec 25, 2020 at 3:15 PM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> On Thu, Dec 24, 2020 at 07:12:35PM -0500, Robert Edmonds wrote:
>
> > I'm also seeing intermittent SERVFAILs with www.cdc.gov. Possibly this a
> > recent change due to a change in the CNAME target. I don't recall seeing
> > SERVFAILs for www.cdc.gov before this month, but I could be wrong.
>
> Welcome to the wonderful world of DNS balancers, cutting every corner
> they believe they can get away with, leaving it to the world at large to
> implement work-arounds.  Even www.verisign.com is not entirely kosher:
>
>     https://dnsviz.net/d/www.verisign.com/X-VoNA/dnssec/
>
> The parent verisign.com zone delegates www.verisign.com to some
> load-balancers that don't bother returning NS records for the zone apex.
>
> Another long-standing case is "mail.protection.outlook.com", where's
> still no sign of EDNS support, and queries for e.g. TLSA RRs return
> NOTIMP (rather than NODATA or, in this case, NXDOMAIN):
>
>
> https://dnsviz.net/d/_25._tcp.nist-gov.mail.protection.outlook.com/dnssec/
>
> --
>     Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20201228/1722f6bc/attachment.html>


More information about the dns-operations mailing list