Mark-san, > Thankfully cdc.gov is also served by auth00.ns.uu.net and auth100.ns.uu.net > and they aren’t serving a incomplete version of akam.cdc.gov.
Certainly, cdc.gov has 5 NSes. And both uu.net servers return correct answer for covid.cdc.gov/A query. I added two dig outputs into my text, thank you. <https://www.dropbox.com/s/alfb1ftvzpd6qcv/20200831-covid.cdc.gov.txt> I think this case is so curious and these digs should be preserved, like an appldnld's case. <https://www.dropbox.com/s/nvw46gtxupggo1e/20120314-appldnld.apple.com.txt> -- Orange From: Mark Andrews <[email protected]> Subject: Re: [dns-operations] Strange behavior of covid.cdc.gov Date: Tue, 1 Sep 2020 14:22:16 +1000 > Thankfully cdc.gov is also served by auth00.ns.uu.net and auth100.ns.uu.net > and they aren’t serving a incomplete version of akam.cdc.gov. Recursive > servers will eventually get a valid referral rather than bogus (unsigned) > answers from ns[123].cdc.gov for akam.cdc.gov. > > Mark > >> On 1 Sep 2020, at 00:47, Stephane Bortzmeyer <[email protected]> wrote: >> >> On Mon, Aug 31, 2020 at 10:12:04PM +0900, >> Yasuhiro Orange Morishita / 森下泰宏 <[email protected]> wrote >> a message of 18 lines which said: >> >>> But it seems to be a little bit strange. The auth servers of cdc.gov >>> zone serve unneed (and unsigned) akam.cdc.gov zone. But they still >>> have DS RR for real akam.cdc.gov zone. >> >> They also do not return a proper delegation: >> >> % dig +dnssec +norec @icdc-us-ns2.cdc.gov. A akam.cdc.gov >> ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +dnssec +norec >> @icdc-us-ns2.cdc.gov. A akam.cdc.gov >> ; (1 server found) >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43497 >> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> ; COOKIE: 70d47b392dfb22d2662352815f4d0d3fe1c90df99f508386 (good) >> ;; QUESTION SECTION: >> ;akam.cdc.gov. IN A >> >> ;; AUTHORITY SECTION: >> akam.cdc.gov. 3600 IN SOA a1-43.akam.net. adhelpdsk.cdc.gov. ( >> 612558384 ; serial >> 300 ; refresh (5 minutes) >> 180 ; retry (3 minutes) >> 1209600 ; expire (2 weeks) >> 3600 ; minimum (1 hour) >> ) >> >> ;; Query time: 98 msec >> ;; SERVER: 198.246.96.92#53(198.246.96.92) >> ;; WHEN: Mon Aug 31 16:46:23 CEST 2020 >> ;; MSG SIZE rcvd: 129 >> >> % dig +dnssec +norec @icdc-us-ns2.cdc.gov. DNSKEY akam.cdc.gov >> ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> +dnssec +norec >> @icdc-us-ns2.cdc.gov. DNSKEY akam.cdc.gov >> ; (1 server found) >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44336 >> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> ; COOKIE: 2e27a9b171983390a21696a65f4d0d54710de953e8dd107b (good) >> ;; QUESTION SECTION: >> ;akam.cdc.gov. IN DNSKEY >> >> ;; AUTHORITY SECTION: >> akam.cdc.gov. 3600 IN SOA a1-43.akam.net. adhelpdsk.cdc.gov. ( >> 612558384 ; serial >> 300 ; refresh (5 minutes) >> 180 ; retry (3 minutes) >> 1209600 ; expire (2 weeks) >> 3600 ; minimum (1 hour) >> ) >> >> ;; Query time: 98 msec >> ;; SERVER: 198.246.96.92#53(198.246.96.92) >> ;; WHEN: Mon Aug 31 16:46:44 CEST 2020 >> ;; MSG SIZE rcvd: 129 >> >> Whuch may explain the strange error messages of DNSviz (the IP >> addresses are for the parent zone). >> _______________________________________________ >> dns-operations mailing list >> [email protected] >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: [email protected] > >
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
