On Mon, Aug 31, 2020 at 9:23 AM Yasuhiro Orange Morishita / 森下泰宏 <[email protected]> wrote: > > Hi, > > Now covid.cdc.gov seems to be DNSSEC validation error. > Google Public DNS and some DNSSEC-enabled resolvers return SERVFAIL. > e.g. dig covid.cdc.gov @8.8.8.8 > > But it seems to be a little bit strange. The auth servers of cdc.gov > zone serve unneed (and unsigned) akam.cdc.gov zone. But they still > have DS RR for real akam.cdc.gov zone. > > This is output of digs. > <https://www.dropbox.com/s/alfb1ftvzpd6qcv/20200831-covid.cdc.gov.txt>
... and for those of us who prefer the pretty graph version: https://dnsviz.net/d/covid.cdc.gov/dnssec/ Another thing that is interesting is: $ dig covid.cdc.gov @ns1.cdc.gov [SNIP] ;; ANSWER SECTION: Covid.cdc.gov. 3600 IN CNAME covid.akam.cdc.gov. covid.akam.cdc.gov. 3600 IN CNAME covid.cdc.gov.edgekey.net. The uppercase 'C' in the 'Covid.cdc.gov. 3600 IN CNAME covid.akam.cdc.gov.' from the auth is interesting... Not wrong, just interesting... W > > -- Orange > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
