[dns-operations] Strange behavior of covid.cdc.gov
Yasuhiro Orange Morishita / 森下泰宏
yasuhiro at jprs.co.jp
Tue Sep 1 06:55:46 UTC 2020
Mark-san,
> Thankfully cdc.gov is also served by auth00.ns.uu.net and auth100.ns.uu.net
> and they aren’t serving a incomplete version of akam.cdc.gov.
Certainly, cdc.gov has 5 NSes. And both uu.net servers return correct
answer for covid.cdc.gov/A query.
I added two dig outputs into my text, thank you.
<https://www.dropbox.com/s/alfb1ftvzpd6qcv/20200831-covid.cdc.gov.txt>
I think this case is so curious and these digs should be preserved,
like an appldnld's case.
<https://www.dropbox.com/s/nvw46gtxupggo1e/20120314-appldnld.apple.com.txt>
-- Orange
From: Mark Andrews <marka at isc.org>
Subject: Re: [dns-operations] Strange behavior of covid.cdc.gov
Date: Tue, 1 Sep 2020 14:22:16 +1000
> Thankfully cdc.gov is also served by auth00.ns.uu.net and auth100.ns.uu.net
> and they aren’t serving a incomplete version of akam.cdc.gov. Recursive
> servers will eventually get a valid referral rather than bogus (unsigned)
> answers from ns[123].cdc.gov for akam.cdc.gov.
>
> Mark
>
>> On 1 Sep 2020, at 00:47, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
>>
>> On Mon, Aug 31, 2020 at 10:12:04PM +0900,
>> Yasuhiro Orange Morishita / 森下泰宏 <yasuhiro at jprs.co.jp> wrote
>> a message of 18 lines which said:
>>
>>> But it seems to be a little bit strange. The auth servers of cdc.gov
>>> zone serve unneed (and unsigned) akam.cdc.gov zone. But they still
>>> have DS RR for real akam.cdc.gov zone.
>>
>> They also do not return a proper delegation:
>>
>> % dig +dnssec +norec @icdc-us-ns2.cdc.gov. A akam.cdc.gov
>> ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +dnssec +norec @icdc-us-ns2.cdc.gov. A akam.cdc.gov
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43497
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ; COOKIE: 70d47b392dfb22d2662352815f4d0d3fe1c90df99f508386 (good)
>> ;; QUESTION SECTION:
>> ;akam.cdc.gov. IN A
>>
>> ;; AUTHORITY SECTION:
>> akam.cdc.gov. 3600 IN SOA a1-43.akam.net. adhelpdsk.cdc.gov. (
>> 612558384 ; serial
>> 300 ; refresh (5 minutes)
>> 180 ; retry (3 minutes)
>> 1209600 ; expire (2 weeks)
>> 3600 ; minimum (1 hour)
>> )
>>
>> ;; Query time: 98 msec
>> ;; SERVER: 198.246.96.92#53(198.246.96.92)
>> ;; WHEN: Mon Aug 31 16:46:23 CEST 2020
>> ;; MSG SIZE rcvd: 129
>>
>> % dig +dnssec +norec @icdc-us-ns2.cdc.gov. DNSKEY akam.cdc.gov
>> ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +dnssec +norec @icdc-us-ns2.cdc.gov. DNSKEY akam.cdc.gov
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44336
>> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ; COOKIE: 2e27a9b171983390a21696a65f4d0d54710de953e8dd107b (good)
>> ;; QUESTION SECTION:
>> ;akam.cdc.gov. IN DNSKEY
>>
>> ;; AUTHORITY SECTION:
>> akam.cdc.gov. 3600 IN SOA a1-43.akam.net. adhelpdsk.cdc.gov. (
>> 612558384 ; serial
>> 300 ; refresh (5 minutes)
>> 180 ; retry (3 minutes)
>> 1209600 ; expire (2 weeks)
>> 3600 ; minimum (1 hour)
>> )
>>
>> ;; Query time: 98 msec
>> ;; SERVER: 198.246.96.92#53(198.246.96.92)
>> ;; WHEN: Mon Aug 31 16:46:44 CEST 2020
>> ;; MSG SIZE rcvd: 129
>>
>> Whuch may explain the strange error messages of DNSviz (the IP
>> addresses are for the parent zone).
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>
>
More information about the dns-operations
mailing list