The host is www.irs.gov. A further question.
DIG sets the DO flag even though the second and third entries in the CNAME chain are not signed. There's basically no indication that there's really any issue. DELV indicates the host as "fully validated" then flags the second entry in the CNAME chain as an "unsigned answer". Should there be some further checking/indications of the issue? There's also the issue of CNAME chaining which as I recall was at one time considered bad form. However, it's used extensively across the internet. (something like domain apex CNAMEs...) Here's the DIG and DELV output (recursive server is running bind 9.20.2 on a raspberrypi under freeBSD 14.1-p6): root@RaspberryPI-00:~ # dig www.irs.gov. +dnssec ; <<>> DiG 9.20.2 <<>> www.irs.gov. +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48697 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 10 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ; COOKIE: 086e3ab5107beca9010000006724eafeedfc230db3b6dfaf (good) ;; QUESTION SECTION: ;www.irs.gov. IN A ;; ANSWER SECTION: www.irs.gov. 300 IN CNAME www.irs.gov.edgekey.net. www.irs.gov. 300 IN RRSIG CNAME 8 3 300 20241115030055 20241101020055 49935 irs.gov. GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q== www.irs.gov.edgekey.net. 300 IN CNAME e127382.dscna.akamaiedge.net . e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.29 e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.37 ;; AUTHORITY SECTION: dscna.akamaiedge.net. 4000 IN NS n0dscna.akamaiedge.net. dscna.akamaiedge.net. 4000 IN NS n3dscna.akamaiedge.net. dscna.akamaiedge.net. 4000 IN NS n2dscna.akamaiedge.net. dscna.akamaiedge.net. 4000 IN NS n5dscna.akamaiedge.net. dscna.akamaiedge.net. 4000 IN NS n4dscna.akamaiedge.net. dscna.akamaiedge.net. 4000 IN NS n1dscna.akamaiedge.net. dscna.akamaiedge.net. 4000 IN NS n6dscna.akamaiedge.net. dscna.akamaiedge.net. 4000 IN NS n7dscna.akamaiedge.net. ;; ADDITIONAL SECTION: n0dscna.akamaiedge.net. 4000 IN AAAA 2600:1480:e800::c0 n0dscna.akamaiedge.net. 4000 IN A 88.221.81.192 n1dscna.akamaiedge.net. 4000 IN A 23.63.249.205 n2dscna.akamaiedge.net. 4000 IN A 23.44.6.12 n3dscna.akamaiedge.net. 4000 IN A 23.44.6.9 n4dscna.akamaiedge.net. 4000 IN A 23.44.6.38 n5dscna.akamaiedge.net. 4000 IN A 23.44.6.13 n6dscna.akamaiedge.net. 4000 IN A 23.44.6.22 n7dscna.akamaiedge.net. 4000 IN A 23.218.252.156 ;; Query time: 425 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Fri Nov 01 14:51:42 UTC 2024 ;; MSG SIZE rcvd: 803 root@RaspberryPI-00:~ # delv www.irs.gov. ; fully validated www.irs.gov. 297 IN CNAME www.irs.gov.edgekey.net. www.irs.gov. 297 IN RRSIG CNAME 8 3 300 20241115030055 20241101020055 49935 irs.gov. GTyXpYeUQsixCz75h7Y3iBy0WgZYE1zYCx0cwWHluJvE3gsB8PgNA20o MHvcFHdg/d8+V52k3L6vv+e3NBfnET624Tiq7z4QXyxqXQ1rs1IJ9/31 Ll/NkNpoFF94YUiukBAEXu/V070gCReafdzOmgV6hXyoQ2WaIKXBsM+3 d4VZnwIhgKuAJAfmkh4o9xrl/oAJT5uAoIntxLve03xcToYgik2RGLa5 LyXDf4yLWJ5T/0DInsTldK0ca+/PS92M+w5z+oRBfi5+yCd5Ueo2cETX bDxpzkEXXvBAL5NhN9u62oK/ag7tg6c4rZceqnXfiWZSglE7IVjg9YA3 O+J82Q== ; unsigned answer www.irs.gov.edgekey.net. 75 IN CNAME e127382.dscna.akamaiedge.net . e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.6 e127382.dscna.akamaiedge.net. 20 IN A 23.208.28.30 Regards, Bob
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
