cdc.gov Contact

Richard Laager rlaager at wiktel.com
Fri Jul 26 21:53:10 UTC 2024 

I'm looking for a cdc.gov contact. I've already tried hostmaster at cdc.gov 
and cameron.dixon at cisa.dhs.gov with no luck.

We are having issues resolving www.cdc.gov/A with current BIND.

It's not just me:
https://community.cloudflare.com/t/cdc-gov-not-resolving/228798/13
https://forum.netgate.com/topic/159228/insanely-weird-issue-with-dns-resolution-to-www-cdc-gov/49

The main problem is that ns[123].cdc.gov. return REFUSED for 
www.akam.cdc.gov/A (which www.cdc.gov is a CNAME for):

$ dig www.akam.cdc.gov A @ns1.cdc.gov

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> www.akam.cdc.gov A 
@ns1.cdc.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 8329
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 892a827575ada0c70100000066a4183e24d8acbcc25acb8c (good)
;; QUESTION SECTION:
;www.akam.cdc.gov.		IN	A

;; Query time: 76 msec
;; SERVER: 198.246.96.61#53(ns1.cdc.gov) (UDP)
;; WHEN: Fri Jul 26 16:42:22 CDT 2024
;; MSG SIZE  rcvd: 73

It turns out that our particular configuration makes this more likely 
(which might be why they're not hearing of this left and right), but the 
issue is not specific to our configuration.

According to a BIND developer:

"simply by querying for cdc.gov/NS first and only then querying for 
www.cdc.gov/A - the result will be a SERVFAIL... That's because the 
authoritative server set is different in gov. and in cdc.gov. and, in 
particular, all of the servers listed in the NS RRset at the child side 
of the zone cut return REFUSED to all queries for akam.cdc.gov and its 
subdomains.  That's why as soon as a resolver caches the child-side NS 
RRset, it will not be able to resolve anything inside the akam.cdc.gov zone"

For more details, see the full comment here:
https://gitlab.isc.org/isc-projects/bind9/-/issues/4787#note_470454

Also, you can see a warning on the gov to cdc.gov delegation here:
https://dnsviz.net/d/www.cdc.gov/dnssec/

gov. has NS records pointing to auth00.ns.uu.net. and auth100.ns.uu.net. 
that ns[123].cdc.gov. do not. I assume that's what he is referring to 
when he says the "authoritative server set is different in gov. and in 
cdc.gov." That should also be fixed.

-- 
Richard

More information about the dns-operations mailing list