search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.11k stars 357 forks source link

DNS Misconfigured or Unbound Problem #430

Closed mxmartins closed 3 years ago

mxmartins commented 3 years ago

I'm using Unbound 1.13.1 with DNSSEC enabled, and using CloudFlare DNS servers. I am not able to resolve www.cdc.gov It fails because Missing DNSKEY RRset in response to DNSKEY query

When I dig +dnssec www..cdc.gov `C:\Users\M>dig +dnssec www.cdc.gov

; <<>> DiG 9.16.8 <<>> +dnssec www.cdc.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9269 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.cdc.gov. IN A

;; Query time: 0 msec ;; SERVER: 192.168.10.253#53(192.168.10.253) ;; WHEN: Fri Feb 19 15:37:32 Mountain Standard Time 2021 ;; MSG SIZE rcvd: 40`

Looking at the Unbound log, I see this: ` Feb 19 15:38:33 unbound[550:2] info: resolving www.cdc.gov. A IN

Feb 19 15:38:33 unbound[550:2] info: response for www.cdc.gov. A IN Feb 19 15:38:33 unbound[550:2] info: reply from <.> 2606:4700:4700::1111#853 Feb 19 15:38:33 unbound[550:2] info: query response was CNAME Feb 19 15:38:33 unbound[550:2] info: resolving www.cdc.gov. A IN Feb 19 15:38:33 unbound[550:2] info: response for www.cdc.gov. A IN Feb 19 15:38:33 unbound[550:2] info: reply from <.> 2606:4700:4700::1111#853 Feb 19 15:38:33 unbound[550:2] info: query response was ANSWER Feb 19 15:38:33 unbound[550:2] info: validate(cname): sec_status_secure Feb 19 15:38:33 unbound[550:2] info: resolving akam.cdc.gov. DS IN Feb 19 15:38:33 unbound[550:2] info: validated DS akam.cdc.gov. DS IN Feb 19 15:38:33 unbound[550:2] info: resolving akam.cdc.gov. DNSKEY IN Feb 19 15:38:33 unbound[550:2] info: Missing DNSKEY RRset in response to DNSKEY query. Feb 19 15:38:33 unbound[550:2] info: resolving akam.cdc.gov. DNSKEY IN Feb 19 15:38:34 unbound[550:2] info: response for akam.cdc.gov. DNSKEY IN Feb 19 15:38:34 unbound[550:2] info: reply from <.> 2606:4700:4700::1111#853 Feb 19 15:38:34 unbound[550:2] info: query response was nodata ANSWER Feb 19 15:38:34 unbound[550:2] info: Missing DNSKEY RRset in response to DNSKEY query. Feb 19 15:38:34 unbound[550:2] info: resolving akam.cdc.gov. DNSKEY IN Feb 19 15:38:35 unbound[550:2] info: response for akam.cdc.gov. DNSKEY IN Feb 19 15:38:35 unbound[550:2] info: reply from <.> 2606:4700:4700::1001#853 Feb 19 15:38:35 unbound[550:2] info: query response was nodata ANSWER Feb 19 15:38:35 unbound[550:2] info: Missing DNSKEY RRset in response to DNSKEY query. Feb 19 15:38:35 unbound[550:2] info: resolving akam.cdc.gov. DNSKEY IN Feb 19 15:38:36 unbound[550:2] info: response for akam.cdc.gov. DNSKEY IN Feb 19 15:38:36 unbound[550:2] info: reply from <.> 1.0.0.1#853 Feb 19 15:38:36 unbound[550:2] info: query response was nodata ANSWER Feb 19 15:38:36 unbound[550:2] info: Missing DNSKEY RRset in response to DNSKEY query. Feb 19 15:38:36 unbound[550:2] info: resolving akam.cdc.gov. DNSKEY IN Feb 19 15:38:37 unbound[550:2] info: response for akam.cdc.gov. DNSKEY IN Feb 19 15:38:37 unbound[550:2] info: reply from <.> 1.1.1.1#853 Feb 19 15:38:37 unbound[550:2] info: query response was nodata ANSWER Feb 19 15:38:37 unbound[550:2] info: Missing DNSKEY RRset in response to DNSKEY query. Feb 19 15:38:37 unbound[550:2] info: resolving akam.cdc.gov. DNSKEY IN Feb 19 15:38:37 unbound[550:2] info: response for akam.cdc.gov. DNSKEY IN Feb 19 15:38:37 unbound[550:2] info: reply from <.> 2606:4700:4700::1111#853 Feb 19 15:38:37 unbound[550:2] info: query response was nodata ANSWER Feb 19 15:38:37 unbound[550:2] info: Missing DNSKEY RRset in response to DNSKEY query. Feb 19 15:38:37 unbound[550:2] info: Could not establish a chain of trust to keys for akam.cdc.gov. DNSKEY IN`

If I dig +dnssec @1.1.1.1 www.cdc.gov, the answer appears to be correct... same answer from 1.0.0.1 `C:\Users\M>dig +dnssec @1.1.1.1 www.cdc.gov

; <<>> DiG 9.16.8 <<>> +dnssec @1.1.1.1 www.cdc.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2019 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;www.cdc.gov. IN A

;; ANSWER SECTION: www.cdc.gov. 249 IN CNAME www.akam.cdc.gov. www.cdc.gov. 249 IN RRSIG CNAME 7 3 300 20210226133457 20210216132957 42473 cdc.gov. n1VRoI84Zp5l+GHq7t24N7Pau6fBPG6YZ71WixTpeCSsp0EM28t8EiL4 2UQJPutO2k7WkZV8etYsEp5p6FzQ0RUOPQfljzaLYv9e4AyLWfEfHiof ZVTy6aT4gJLxiYG8W9JuhCE8JX4ldeqM7FKkvxZL2yt7rVKzJ3GK+CG2 c64= www.akam.cdc.gov. 20 IN A 23.50.33.231 www.akam.cdc.gov. 20 IN RRSIG A 10 4 20 20210222195731 20210219185731 3212 akam.cdc.gov. F4r4mpaCu4cbQC+aj35Cr5NSCB2stgHFpdJvBK/JtQLwUtE86f7CqGtF QMGYLeDsYB0Ne2ay+MY/QUEn8SJ5Z+A+AM3py4CDjyoMCtMg8vbnyKYz /Pz34UXetwPyxhwenRg0SeHeQPyCsBH3jUYG25r6fNi0zs9BdyxKjaDc +iw=

;; Query time: 95 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Fri Feb 19 15:37:08 Mountain Standard Time 2021 ;; MSG SIZE rcvd: 418 ` So, it appears Unbound is not handling DNSSEC properly, or I have something misconfigured. But I have not changed my settings and they were working properly. What am I missing?

Here's my config: `# server: ###########################################################################

BASIC SETTINGS

###########################################################################
# Time to live maximum for RRsets and messages in the cache. If the maximum
# kicks in, responses to clients still get decrementing TTLs based on the
# original (larger) values. When the internal TTL expires, the cache item
# has expired. Can be set lower to force the resolver to query for data
# often, and not trust (very large) TTL values.
cache-max-ttl: 86400

# Time to live minimum for RRsets and messages in the cache. If the minimum
# kicks in, the data is cached for longer than the domain owner intended,
# and thus less queries are made to look up the data. Zero makes sure the
# data in the cache is as the domain owner intended, higher values,
# especially more than an hour or so, can lead to trouble as the data in
# the cache does not match up with the actual data any more.
cache-min-ttl: 300

# Set the working directory for the program.
#directory: "/etc/unbound/"

# RFC 6891. Number  of bytes size to advertise as the EDNS reassembly buffer
# size. This is the value put into  datagrams over UDP towards peers.
# The actual buffer size is determined by msg-buffer-size (both for TCP and
# UDP). Do not set higher than that value.
# Default  is  1232 which is the DNS Flag Day 2020 recommendation.
# Setting to 512 bypasses even the most stringent path MTU problems, but
# is seen as extreme, since the amount of TCP fallback generated is
# excessive (probably also for this resolver, consider tuning the outgoing
# tcp number).
edns-buffer-size: 1232

# Listen to for queries from clients and answer from this network interface
# and port.
interface: 0.0.0.0@52
interface: ::@52

# Rotates RRSet order in response (the pseudo-random number is taken from
# the query ID, for speed and thread safety).
rrset-roundrobin: yes

# Drop user  privileges after  binding the port.
username: "unbound"

# May be set to yes if you have IPv6 connectivity
do-ip6: yes

###########################################################################
# LOGGING
###########################################################################

# Do not print log lines to inform about local zone actions
log-local-actions: no

# Do not print one line per query to the log
log-queries: no

# Do not print one line per reply to the log
log-replies: no

# Do not print log lines that say why queries return SERVFAIL to clients
log-servfail: no

# Further limit logging
#logfile: /dev/null
logfile: "/unbound.log"

# Only log errors
#verbosity: 0
verbosity: 1

# Log time in UTC
log-time-ascii: yes

###########################################################################
# PRIVACY SETTINGS
###########################################################################

# RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
# denials, using information from previous NXDO-MAINs answers. In other
# words, use cached NSEC records to generate negative answers within a
# range and positive answers from wildcards. This increases performance,
# decreases latency and resource utilization on both authoritative and
# recursive servers, and increases privacy. Also, it may help increase
# resilience to certain DoS attacks in some circumstances.
aggressive-nsec: yes

# Extra delay for timeouted UDP ports before they are closed, in msec.
# This prevents very delayed answer packets from the upstream (recursive)
# servers from bouncing against closed ports and setting off all sort of
# close-port counters, with eg. 1500 msec. When timeouts happen you need
# extra sockets, it checks the ID and remote IP of packets, and unwanted
# packets are added to the unwanted packet counter.
delay-close: 10000

# Prevent the unbound server from forking into the background as a daemon
do-daemonize: no

# Add localhost to the do-not-query-address list.
do-not-query-localhost: no

# Number  of  bytes size of the aggressive negative cache.
neg-cache-size: 4M

# Send minimum amount of information to upstream servers to enhance
# privacy (best privacy).
qname-minimisation: yes

###########################################################################
# SECURITY SETTINGS
###########################################################################
# Only give access to recursion clients from LAN IPs
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: ::1/128 allow
access-control: x:x:x:b141::0/64 allow
access-control: x:x:x:b142::0/64 allow
access-control: x:x:x:b143::0/64 allow
access-control: x:x:x:b144::0/64 allow
access-control: x:x:x:b145::0/64 allow
access-control: x:x:x:b146::0/64 allow
access-control: x:x:x:b147::0/64 allow
access-control: x:x:x:b148::0/64 allow
access-control: x:x:x:b149::0/64 allow
# access-control: fc00::/7 allow
# access-control: ::1/128 allow

# File with trust anchor for  one  zone, which is tracked with RFC5011
# probes.
auto-trust-anchor-file: "var/root.key"

# Enable chroot (i.e, change apparent root directory for the current
# running process and its children)
#chroot: "/etc/unbound/"

# Deny queries of type ANY with an empty response.
deny-any: yes   

# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record.
harden-algo-downgrade: yes

# RFC 8020. returns nxdomain to queries for a name below another name that
# is already known to be nxdomain.
harden-below-nxdomain: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the
# zone becomes bogus. If turned off you run the risk of a downgrade attack
# that disables security for a zone.
harden-dnssec-stripped: yes

# Only trust glue if it is within the servers authority.
harden-glue: yes

# Ignore very large queries.
harden-large-queries: yes

# Perform additional queries for infrastructure data to harden the referral
# path. Validates the replies if trust anchors are configured and the zones
# are signed. This enforces DNSSEC validation on nameserver NS sets and the
# nameserver addresses that are encountered on the referral path to the 
# answer. Experimental option.
harden-referral-path: no

# Ignore very small EDNS buffer sizes from queries.
harden-short-bufsize: yes

# Refuse id.server and hostname.bind queries
hide-identity: yes

# Refuse version.server and version.bind queries
hide-version: yes

# Report this identity rather than the hostname of the server.
identity: "DNS"

# These private network addresses are not allowed to be returned for public
# internet names. Any  occurrence of such addresses are removed from DNS
# answers. Additionally, the DNSSEC validator may mark the  answers  bogus.
# This  protects  against DNS  Rebinding
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96

# Enable ratelimiting of queries (per second) sent to nameserver for
# performing recursion. More queries are turned away with an error
# (servfail). This stops recursive floods (e.g., random query names), but
# not spoofed reflection floods. Cached responses are not rate limited by
# this setting. Experimental option.
ratelimit: 1000

# Use this certificate bundle for authenticating connections made to
# outside peers (e.g., auth-zone urls, DNS over TLS connections).
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

# Set the total number of unwanted replies to eep track of in every thread.
# When it reaches the threshold, a defensive action of clearing the rrset
# and message caches is taken, hopefully flushing away any poison.
# Unbound suggests a value of 10 million.
unwanted-reply-threshold: 10000

# Use 0x20-encoded random bits in the query to foil spoof attempts. This
# perturbs the lowercase and uppercase of query names sent to authority
# servers and checks if the reply still has the correct casing.
# This feature is an experimental implementation of draft dns-0x20.
# Experimental option.
use-caps-for-id: yes

# Help protect users that rely on this validator for authentication from
# potentially bad data in the additional section. Instruct the validator to
# remove data from the additional section of secure messages that are not
# signed properly. Messages that are insecure, bogus, indeterminate or
# unchecked are not affected.
val-clean-additional: yes

###########################################################################
# PERFORMANCE SETTINGS
###########################################################################
# https://nlnetlabs.nl/documentation/unbound/howto-optimise/

# Number of slabs in the infrastructure cache. Slabs reduce lock contention
# by threads. Must be set to a power of 2.
infra-cache-slabs: 4

# Number of incoming TCP buffers to allocate per thread. Default
# is 10. If set to 0, or if do-tcp is "no", no  TCP  queries  from
# clients  are  accepted. For larger installations increasing this
# value is a good idea.
incoming-num-tcp: 10    

# Number of slabs in the key cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2. Setting (close) to the number
# of cpus is a reasonable guess.
key-cache-slabs: 4

# Number  of  bytes  size  of  the  message  cache.
# Unbound recommendation is to Use roughly twice as much rrset cache memory
# as you use msg cache memory.
msg-cache-size: 2801310378

# Number of slabs in the message cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2. Setting (close) to the number of
# cpus is a reasonable guess.
msg-cache-slabs: 4

# The number of queries that every thread will service simultaneously. If
# more queries arrive that need servicing, and no queries can be jostled
# out (see jostle-timeout), then the queries are dropped.
# This is best set at half the number of the outgoing-range.
# This Unbound instance was compiled with libevent so it can efficiently
# use more than 1024 file descriptors.
num-queries-per-thread: 4096

# The number of threads to create to serve clients.
# This is set dynamically at run time to effectively use available CPUs
# resources
num-threads: 4

# Number of ports to open. This number of file descriptors can be opened
# per thread.
# This Unbound instance was compiled with libevent so it can efficiently
# use more than 1024 file descriptors.
outgoing-range: 8192

# Number of bytes size of the RRset cache.
# Use roughly twice as much rrset cache memory as msg cache memory
rrset-cache-size: 5602620757

# Number of slabs in the RRset cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2.
rrset-cache-slabs: 4

# Do no insert authority/additional sections into response messages when
# those sections are not required. This reduces response size
# significantly, and may avoid TCP fallback for some responses. This may
# cause a slight speedup.
minimal-responses: yes

# # Fetch the DNSKEYs earlier in the validation process, when a DS record
# is encountered. This lowers the latency of requests at the expense of
# little more CPU usage.
prefetch: yes

# Fetch the DNSKEYs earlier in the validation process, when a DS record is
# encountered. This lowers the latency of requests at the expense of little
# more CPU usage.
prefetch-key: yes

# Have unbound attempt to serve old responses from cache with a TTL of 0 in
# the response without waiting for the actual resolution to finish. The
# actual resolution answer ends up in the cache later on.
serve-expired: yes

# Open dedicated listening sockets for incoming queries for each thread and
# try to set the SO_REUSEPORT socket option on each socket. May distribute
# incoming queries to threads more evenly.
so-reuseport: yes

###########################################################################
# LOCAL ZONE
###########################################################################

# Include file for local-data and local-data-ptr

include: /etc/unbound/srv-records.conf
include: /etc/unbound/a-records.conf

###########################################################################
# FORWARD ZONE
###########################################################################
include: /etc/unbound/forward-records.conf

remote-control: control-enable: no

`

edmonds commented 3 years ago

Yes, there is misconfiguration, but it is in the cdc.gov zone.

https://dnsviz.net/d/www.cdc.gov/YC7hBQ/dnssec/

https://lists.dns-oarc.net/pipermail/dns-operations/2020-December/020779.html

https://gitlab.nic.cz/knot/knot-resolver/-/issues/662#note_188577

I have found that setting qname-minimisation: no in the Unbound configuration makes it more likely to resolve www.cdc.gov successfully but the problem lies in the cdc.gov nameservers.

The cdc.gov nameservers publish:

  1. A signed alias of www.cdc.gov to www.akam.cdc.gov.
; <<>> DiG 9.16.12-Debian <<>> +dnssec +norec @ns1.cdc.gov www.cdc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39120
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cdc.gov.           IN  A

;; ANSWER SECTION:
www.cdc.gov.        300 IN  CNAME   www.akam.cdc.gov.
www.cdc.gov.        300 IN  RRSIG   CNAME 7 3 300 20210226133457 20210216132957 42473 cdc.gov. n1VRoI84Zp5l+GHq7t24N7Pau6fBPG6YZ71WixTpeCSsp0EM28t8EiL4 2UQJPutO2k7WkZV8etYsEp5p6FzQ0RUOPQfljzaLYv9e4AyLWfEfHiof ZVTy6aT4gJLxiYG8W9JuhCE8JX4ldeqM7FKkvxZL2yt7rVKzJ3GK+CG2 c64=
www.akam.cdc.gov.   3600    IN  CNAME   www.cdc.gov.edgekey.net.

;; Query time: 4 msec
;; SERVER: 198.246.96.61#53(198.246.96.61)
;; WHEN: Sat Feb 20 13:44:13 EST 2021
;; MSG SIZE  rcvd: 267
  1. An unsigned NODATA response for akam.cdc.gov.
; <<>> DiG 9.16.12-Debian <<>> +dnssec +norec @ns1.cdc.gov akam.cdc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37047
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;akam.cdc.gov.          IN  A

;; AUTHORITY SECTION:
akam.cdc.gov.       3600    IN  SOA a1-43.akam.net. adhelpdsk.cdc.gov. 618054256 300 180 1209600 3600

;; Query time: 4 msec
;; SERVER: 198.246.96.61#53(198.246.96.61)
;; WHEN: Sat Feb 20 13:54:31 EST 2021
;; MSG SIZE  rcvd: 101
  1. A signed delegation of akam.cdc.gov. However, the DS and RRSIG(DS) RRsets are not included in the response to a type NS query.
; <<>> DiG 9.16.12-Debian <<>> +dnssec +norec @ns1.cdc.gov akam.cdc.gov -t NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52419
;; flags: qr aa; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;akam.cdc.gov.          IN  NS

;; ANSWER SECTION:
akam.cdc.gov.       86400   IN  NS  a9-64.akam.net.
akam.cdc.gov.       86400   IN  NS  a28-65.akam.net.
akam.cdc.gov.       86400   IN  NS  a1-43.akam.net.
akam.cdc.gov.       86400   IN  NS  a8-67.akam.net.
akam.cdc.gov.       86400   IN  NS  a2-64.akam.net.
akam.cdc.gov.       86400   IN  NS  a5-66.akam.net.

;; Query time: 4 msec
;; SERVER: 198.246.96.61#53(198.246.96.61)
;; WHEN: Sat Feb 20 13:44:37 EST 2021
;; MSG SIZE  rcvd: 170
; <<>> DiG 9.16.12-Debian <<>> +dnssec +norec @ns1.cdc.gov akam.cdc.gov -t DS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37596
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;akam.cdc.gov.          IN  DS

;; ANSWER SECTION:
akam.cdc.gov.       3600    IN  DS  4524 10 2 0314BA0480947FEB958DBA3AD3447CFA4906F9187EA6C4D882AE692D BBF582AA
akam.cdc.gov.       3600    IN  RRSIG   DS 7 3 3600 20210226133457 20210216132957 42473 cdc.gov. dcBL5Kei4G9UxqHjPHzj2VpzqriXTOPxI4vOwvdepFSHYisb1Sj8RE9l 6E8Xyu+aznJXoYWjfhUC1PHOy/9P03WnwndrDED8H1fAIPl+mHuoQBxe /tteoG5UI3dt1nyfywr0nDbGxJCuFqZtcjZQDbPksTjGceRuA/KCxlm7 7QY=

;; Query time: 8 msec
;; SERVER: 198.246.96.61#53(198.246.96.61)
;; WHEN: Sat Feb 20 13:44:40 EST 2021
;; MSG SIZE  rcvd: 256
  1. An unsigned alias of www.akam.cdc.gov to www.cdc.gov.edgekey.net. It is inconsistent for the cdc.gov nameservers to publish answer section records for www.akam.cdc.gov given that akam.cdc.gov is a delegation point and akam.cdc.gov is served by a completely different set of nameservers.
; <<>> DiG 9.16.12-Debian <<>> +dnssec +norec @ns1.cdc.gov www.akam.cdc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2625
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.akam.cdc.gov.      IN  A

;; ANSWER SECTION:
www.akam.cdc.gov.   3600    IN  CNAME   www.cdc.gov.edgekey.net.

;; Query time: 4 msec
;; SERVER: 198.246.96.61#53(198.246.96.61)
;; WHEN: Sat Feb 20 13:44:44 EST 2021
;; MSG SIZE  rcvd: 82

Some resolvers are able to find a working resolution path due to the inclusion of the Verizon nameservers auth00.ns.uu.net and auth100.ns.uu.net in the NS RRset for cdc.gov published by the gov nameservers, but the Verizon nameservers are not included in the NS RRset at the apex of the cdc.gov zone. The Verizon nameservers correctly publish the signed delegation of akam.cdc.gov:

; <<>> DiG 9.16.12-Debian <<>> +norec +dnssec @a.gov-servers.net cdc.gov
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29105
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID: 6e 6e 6e 31 2d 6d 69 61 34 ("nnn1-mia4")
;; QUESTION SECTION:
;cdc.gov.           IN  A

;; AUTHORITY SECTION:
cdc.gov.        86400   IN  NS  ns2.cdc.gov.
cdc.gov.        86400   IN  NS  auth00.ns.uu.net.
cdc.gov.        86400   IN  NS  ns1.cdc.gov.
cdc.gov.        86400   IN  NS  ns3.cdc.gov.
cdc.gov.        86400   IN  NS  auth100.ns.uu.net.
cdc.gov.        3600    IN  DS  65139 7 1 7286F5FD253E710BAB8CEDA4E3BA2231BA64D8E6
cdc.gov.        3600    IN  DS  65139 7 2 3541905D7C11575AB8999048B4399BB11DDA85AA2EC34A796C3DD26C F3A6FD1E
cdc.gov.        3600    IN  RRSIG   DS 8 2 3600 20210227171009 20210220171009 27306 gov. lJgQuUHTCHnoghHqm5HYAzfuRuE5okBm/LcqGsZQLp2jOlcucwaU60Ey 8RZS+hsCXYVxhzTSJ/cbQVVWa0QJJvi6bVKt2Zpjl2CjCy5s6sdn8f9u /fUhPWFkvw1pMfKpN2K3+A6gAOx0lXkpPej4lCjEa+UiUgZ7XM4aLbl2 6Kcdox8SxwxTnsBERLEQJ4iJkuCq8mlXoUreh5/tfu3GyQ==

;; ADDITIONAL SECTION:
ns2.cdc.gov.        86400   IN  A   198.246.96.92
ns1.cdc.gov.        86400   IN  A   198.246.96.61
ns3.cdc.gov.        86400   IN  A   198.246.125.10

;; Query time: 16 msec
;; SERVER: 2001:500:4431::2:30#53(2001:500:4431::2:30)
;; WHEN: Sat Feb 20 13:57:02 EST 2021
;; MSG SIZE  rcvd: 482
; <<>> DiG 9.16.12-Debian <<>> +norec +dnssec @auth00.ns.uu.net. akam.cdc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31753
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; NSID: 56 65 72 69 7a 6f 6e ("Verizon")
;; QUESTION SECTION:
;akam.cdc.gov.          IN  A

;; AUTHORITY SECTION:
akam.cdc.gov.       86400   IN  NS  a5-66.akam.net.
akam.cdc.gov.       86400   IN  NS  a28-65.akam.net.
akam.cdc.gov.       86400   IN  NS  a1-43.akam.net.
akam.cdc.gov.       86400   IN  NS  a9-64.akam.net.
akam.cdc.gov.       86400   IN  NS  a8-67.akam.net.
akam.cdc.gov.       86400   IN  NS  a2-64.akam.net.
akam.cdc.gov.       3600    IN  DS  4524 10 2 0314BA0480947FEB958DBA3AD3447CFA4906F9187EA6C4D882AE692D BBF582AA
akam.cdc.gov.       3600    IN  RRSIG   DS 7 3 3600 20210226133457 20210216132957 42473 cdc.gov. dcBL5Kei4G9UxqHjPHzj2VpzqriXTOPxI4vOwvdepFSHYisb1Sj8RE9l 6E8Xyu+aznJXoYWjfhUC1PHOy/9P03WnwndrDED8H1fAIPl+mHuoQBxe /tteoG5UI3dt1nyfywr0nDbGxJCuFqZtcjZQDbPksTjGceRuA/KCxlm7 7QY=

;; Query time: 8 msec
;; SERVER: 198.6.1.65#53(198.6.1.65)
;; WHEN: Sat Feb 20 13:57:11 EST 2021
;; MSG SIZE  rcvd: 396
mxmartins commented 3 years ago

Understood. Thank you for looking into the issue and explaining it. I will try to bring it to the attention of those in charge of the cdc.gov domain. I'll go ahead and close this issue.