[dns-operations] cdc.gov Contact

Richard Laager rlaager at wiktel.com
Mon Jul 29 21:12:59 UTC 2024


On 2024-07-29 13:58, Jared Mauch wrote:
> On Sat, Jul 27, 2024 at 10:05:31AM +1000, Viktor Dukhovni wrote:
>> On Fri, Jul 26, 2024 at 04:53:10PM -0500, Richard Laager via dns-operations wrote:

>>> According to a BIND developer:
>>>
>>> "simply by querying for cdc.gov/NS first and only then querying for
>>> www.cdc.gov/A - the result will be a SERVFAIL... That's because the
>>> authoritative server set is different in gov. and in cdc.gov. and, in
>>> particular, all of the servers listed in the NS RRset at the child side of
>>> the zone cut return REFUSED to all queries for akam.cdc.gov and its
>>> subdomains.  That's why as soon as a resolver caches the child-side NS
>>> RRset, it will not be able to resolve anything inside the akam.cdc.gov zone"
>>
>> This is correct, only the parent-side NS RRset includes nameservers that
>> are willing to delegate "akam.cdc.gov".
> 
> I would say that I lightly consider this a bug in dig which won't report
> the response received:

I'm not following. dig _is_ reporting the response it gets, which is 
REFUSED:

$ dig www.akam.cdc.gov A @ns1.cdc.gov | grep status
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37848

You are running something different when you use +trace, which depending 
on the exact behavior of dig could work 2 out of 5 times, depending on 
whether dig picks auth*.ns.uu.net or ns*.cdc.gov. That inconsistency is 
the problem, which is why my example gives the more specific case of 
querying ns1.cdc.gov to demonstrate that it refuses the query.

-- 
Richard



More information about the dns-operations mailing list