[dns-operations] cdc.gov Contact

Fri, 26 Jul 2024 15:51:16 -0700

--- Begin Message --- I'm looking for a cdc.gov contact. I've already tried hostmas...@cdc.gov and cameron.di...@cisa.dhs.gov with no luck. 

We are having issues resolving www.cdc.gov/A with current BIND.

It's not just me:
https://community.cloudflare.com/t/cdc-gov-not-resolving/228798/13
https://forum.netgate.com/topic/159228/insanely-weird-issue-with-dns-resolution-to-www-cdc-gov/49
The main problem is that ns[123].cdc.gov. return REFUSED for www.akam.cdc.gov/A (which www.cdc.gov is a CNAME for): 

$ dig www.akam.cdc.gov A @ns1.cdc.gov
; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> www.akam.cdc.gov A @ns1.cdc.gov 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 8329
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 892a827575ada0c70100000066a4183e24d8acbcc25acb8c (good)
;; QUESTION SECTION:
;www.akam.cdc.gov.              IN      A

;; Query time: 76 msec
;; SERVER: 198.246.96.61#53(ns1.cdc.gov) (UDP)
;; WHEN: Fri Jul 26 16:42:22 CDT 2024
;; MSG SIZE  rcvd: 73
It turns out that our particular configuration makes this more likely (which might be why they're not hearing of this left and right), but the issue is not specific to our configuration. 

According to a BIND developer:
"simply by querying for cdc.gov/NS first and only then querying for www.cdc.gov/A - the result will be a SERVFAIL... That's because the authoritative server set is different in gov. and in cdc.gov. and, in particular, all of the servers listed in the NS RRset at the child side of the zone cut return REFUSED to all queries for akam.cdc.gov and its subdomains. That's why as soon as a resolver caches the child-side NS RRset, it will not be able to resolve anything inside the akam.cdc.gov zone" 

For more details, see the full comment here:
https://gitlab.isc.org/isc-projects/bind9/-/issues/4787#note_470454

Also, you can see a warning on the gov to cdc.gov delegation here:
https://dnsviz.net/d/www.cdc.gov/dnssec/
gov. has NS records pointing to auth00.ns.uu.net. and auth100.ns.uu.net. that ns[123].cdc.gov. do not. I assume that's what he is referring to when he says the "authoritative server set is different in gov. and in cdc.gov." That should also be fixed. 

--
Richard

--- End Message ---
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to