[dns-operations] cdc.gov Contact

[Jared Mauch]

On Sat, Jul 27, 2024 at 10:05:31AM +1000, Viktor Dukhovni wrote:
> On Fri, Jul 26, 2024 at 04:53:10PM -0500, Richard Laager via dns-operations wrote:
> 
> > I'm looking for a cdc.gov contact. I've already tried hostmaster at cdc.gov and
> > cameron.dixon at cisa.dhs.gov with no luck.
> 
> The SOA RR for akam.cdc.gov (problem zone) lists as its "rname":
> 
>     adhelpdsk at cdc.gov
> 
> And the GOV opendata lists a security contact for cdc.gov of:
> 
>     ResponsibleDisclosure at hhs.gov
> 
> > According to a BIND developer:
> > 
> > "simply by querying for cdc.gov/NS first and only then querying for
> > www.cdc.gov/A - the result will be a SERVFAIL... That's because the
> > authoritative server set is different in gov. and in cdc.gov. and, in
> > particular, all of the servers listed in the NS RRset at the child side of
> > the zone cut return REFUSED to all queries for akam.cdc.gov and its
> > subdomains.  That's why as soon as a resolver caches the child-side NS
> > RRset, it will not be able to resolve anything inside the akam.cdc.gov zone"
> 
> This is correct, only the parent-side NS RRset includes nameservers that
> are willing to delegate "akam.cdc.gov".

I would say that I lightly consider this a bug in dig which won't report
the response received:

pi at raspberrypi:~ $ dig +trace www.akam.cdc.gov.

; <<>> DiG 9.20.0-Debian <<>> +trace www.akam.cdc.gov.
;; global options: +cmd
.			25712	IN	NS	d.root-servers.net.
.			25712	IN	NS	c.root-servers.net.
.			25712	IN	NS	f.root-servers.net.
.			25712	IN	NS	j.root-servers.net.
.			25712	IN	NS	k.root-servers.net.
.			25712	IN	NS	m.root-servers.net.
.			25712	IN	NS	b.root-servers.net.
.			25712	IN	NS	a.root-servers.net.
.			25712	IN	NS	g.root-servers.net.
.			25712	IN	NS	e.root-servers.net.
.			25712	IN	NS	i.root-servers.net.
.			25712	IN	NS	h.root-servers.net.
.			25712	IN	NS	l.root-servers.net.
.			25712	IN	RRSIG	NS 8 0 518400 20240811050000 20240729040000 20038 . FGSl16unUNVC74FO1dPo6eDKysS+GHYoJCR0G2lbDJNDLZgeqVm/Y/vP PPG9AlTtjyn6/1ZhglFVWk6BEv4IUbHx/iD2ato7L+DlmiC2StkEecCq Uf3jfT7vnJ6Nhvwok7AHHCEAzUb6JK6iKkcZCfFNw84oqIMSUtsHZaSe 2LGrbkiRmfmIxC1dIeMTkXSlFPiPSOAe/y+bOF5yZ4OzOJe5LA8aS/e7 CwILaycLx+j4wafGKY+xTX+cIoW3+Pa9ZUMD3tgzsf5Rn3wLtAvfeu6J txun+DdMi9tc6EQWClhVqk3J19RIxat3zR4jtajIOrdXpplmEvNMmZsM uIbVqA==
;; Received 525 bytes from 9.9.9.9#53(9.9.9.9) in 3 ms

gov.			172800	IN	NS	a.ns.gov.
gov.			172800	IN	NS	d.ns.gov.
gov.			172800	IN	NS	c.ns.gov.
gov.			172800	IN	NS	b.ns.gov.
gov.			86400	IN	DS	2536 13 2 0BAF26B7BBF313A859046FD3B1EE49DDFBA33934CFB3E717C21E2A29 35C2F259
gov.			86400	IN	RRSIG	DS 8 1 86400 20240811170000 20240729160000 20038 . Q0tmikQf/3GA6jhojagHH4zT9RtouE5HFg93dLidPKy2m6qDm/zxhc6k x0VOMVAShRllJTc98f6ipB0WtqAKK1+AeUcB4pHtAixzi1gdNQF5riKE MyOfEAtgslKPbh0ngjQCtUXOS50dgSTkjY6l6F3umGjl38ZQhwrZappp 278LQEgJ6FoNiLUOBbro9JV98Akkk7NU3PV8+VnpJZ7N+Id1lSBqMZP0 WxomRnD7T+MCrcIoB1q61nyYQ86mumtl8uj9EVRdc9s93ISwrqSq194Y Rw+5UNpA9AvVCIC96wCf8dd7ASljAZb5r9bftMCrQxpBjZpeA3xiEqa1 HSKdaA==
;; Received 629 bytes from 2001:7fd::1#53(k.root-servers.net) in 43 ms

cdc.gov.		10800	IN	NS	auth00.ns.uu.net.
cdc.gov.		10800	IN	NS	auth100.ns.uu.net.
cdc.gov.		10800	IN	NS	ns1.cdc.gov.
cdc.gov.		10800	IN	NS	ns2.cdc.gov.
cdc.gov.		10800	IN	NS	ns3.cdc.gov.
cdc.gov.		3600	IN	DS	21719 8 2 A88D11ECFE2889312EB2F84D4BA9DC72A1750FD4AC2F5BE97D69B768 1A564AF0
cdc.gov.		3600	IN	RRSIG	DS 13 2 3600 20240730195315 20240728175315 35496 gov. 7oX/5O69fpCRz7j9MqHL4jFbJxK2eOiTGxQ0iVX6AW6yYzN8EhyOfO24 mkrZ1kEtd7X02yq4o4FIYuKXuvdThQ==
;; Received 346 bytes from 199.33.233.1#53(d.ns.gov) in 3 ms


;; Received 73 bytes from 198.246.125.10#53(ns3.cdc.gov) in 27 ms

This does obviously point to where the issue is, there is a right way to
do the CNAME etc,  if nobody resolves it soon I'll try to push it
through internal contacts towards the account team, but you should also
be able to reach out to the DHS CERT helpdesk to route the inquiry over
there as well.

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.