<div dir="ltr"><div class="gmail_default" style="font-family:monospace">yeah. its sad. looked like a poorly timed key roll for <a href="http://akam.cdc.gov">akam.cdc.gov</a> dnskey. hope it doesnt make the idiot "dream team" inside USG just say "turn dnssec off".</div><div class="gmail_default" style="font-family:monospace"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Dec 25, 2020 at 3:15 PM Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org">ietf-dane@dukhovni.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, Dec 24, 2020 at 07:12:35PM -0500, Robert Edmonds wrote:<br>
<br>
> I'm also seeing intermittent SERVFAILs with <a href="http://www.cdc.gov" rel="noreferrer" target="_blank">www.cdc.gov</a>. Possibly this a<br>
> recent change due to a change in the CNAME target. I don't recall seeing<br>
> SERVFAILs for <a href="http://www.cdc.gov" rel="noreferrer" target="_blank">www.cdc.gov</a> before this month, but I could be wrong.<br>
<br>
Welcome to the wonderful world of DNS balancers, cutting every corner<br>
they believe they can get away with, leaving it to the world at large to<br>
implement work-arounds.  Even <a href="http://www.verisign.com" rel="noreferrer" target="_blank">www.verisign.com</a> is not entirely kosher:<br>
<br>
    <a href="https://dnsviz.net/d/www.verisign.com/X-VoNA/dnssec/" rel="noreferrer" target="_blank">https://dnsviz.net/d/www.verisign.com/X-VoNA/dnssec/</a><br>
<br>
The parent <a href="http://verisign.com" rel="noreferrer" target="_blank">verisign.com</a> zone delegates <a href="http://www.verisign.com" rel="noreferrer" target="_blank">www.verisign.com</a> to some<br>
load-balancers that don't bother returning NS records for the zone apex.<br>
<br>
Another long-standing case is "<a href="http://mail.protection.outlook.com" rel="noreferrer" target="_blank">mail.protection.outlook.com</a>", where's<br>
still no sign of EDNS support, and queries for e.g. TLSA RRs return<br>
NOTIMP (rather than NODATA or, in this case, NXDOMAIN):<br>
<br>
    <a href="https://dnsviz.net/d/_25._tcp.nist-gov.mail.protection.outlook.com/dnssec/" rel="noreferrer" target="_blank">https://dnsviz.net/d/_25._tcp.nist-gov.mail.protection.outlook.com/dnssec/</a><br>
<br>
-- <br>
    Viktor.<br>
_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div>