Closed wyattwalter closed 4 years ago
wyattwalter
commented
5 years ago Hey @boris-ning-usds I'm assigning to you for the moment, can you help us with the ESECC portion? Just need to file a decommission request for the search.vets.gov subdomain in VA DNS.
boris-ning-usds
commented
5 years ago search.vets.gov is not in VA DNS though, is it?
dig +short search.vets.gov
vets-gov-search.sites.infr.search.usa.gov.
34.202.78.189
34.230.181.82
34.203.139.28This isn't something NSOC Gateway Ops owns today so asking ESECC to approve it and having Gateway Ops shut it down won't make sense, right?
boris-ning-usds
commented
5 years ago @wyattwalter search.vets.gov's authoritative nameservers are hosted by search.usa.gov, likely by a team called DigitalGov.
dig +short NS search.vets.gov
vets-gov-search.sites.infr.search.usa.govThe certificate looks like it's been updated for that site, so it'll last till May 5th 2020. From this site: https://digital.gov/services/search/, it sounds like we should be reaching out to digitalgov@gsa.gov.
Do you happen to have any familiar contact there? I can try to bridge the gaps and send an email out otherwise.
wyattwalter
commented
5 years ago The search.vets.gov record is a CNAME pointed at vets-gov-search.sites.infr.search.usa.gov. The NS records for those (which is the result you are seeing there) is owned by search.gov. However, we need Gateway Ops (who I assume would be the group controlling the VA NS nodes) to remove that CNAME (and any other record types for search.vets.gov) before having search.gov tear down on their end.
I'd want to do the teardown to happen of the record on search.vets.gov first as we don't have a defined behavior on what happens if the search.vets.gov still points at search.gov but search.gov tears things down on their end.
We have contacts at search.gov and any one of us could reach out to them: https://github.com/department-of-veterans-affairs/devops/blob/master/docs/External%20Service%20Integrations/Search.gov.md
boris-ning-usds
commented
5 years ago Hmm, alright. Just sent an email over to NSOC. If they find something, I'll file a decommission ESECC for it. If they don't find anything, there's nothing I can say in the ticket anyway because the end result is that NSOC need to do the work to decommission it.
Edit: Wyatt, after looking at this a little more, search.vets.gov is redirecting to vets.gov, which is under NSOC's control. So... chances are we'll need to tell the search.gov team to remove pointing to vets.gov.
boris-ning-usds
commented
5 years ago Ooh, looks like you're right and I'm wrong. There is indeed a CNAME for search.vets.gov within VA NS. I've filed RFC-2063 for this.
boris-ning-usds
commented
5 years ago This was just completed by the network team. @wyattwalter, I sent your team the references in email. Can you validate and close this out? Thanks.
wyattwalter
commented
4 years ago 👍 Thanks Boris! I just verified and shot an email over to search.gov support for them to tear this down on their side.
wyattwalter
commented
4 years ago Looks like this did not get torn down internally. I thought they were the same zone, but clearly not. I'll check with internal DNS folks quick.
wyattwalter
commented
4 years ago filed INC7661761 for the internal change.
Description
Part of the implementation of vets.gov included a search.vets.gov CNAME that pointed at a search.usa.gov-specified CNAME. The pages for search were then served by search.gov. This has since been torn down and search.vets.gov does redirect back to www.va.gov after the re-launch, but the subdomain continues to exist in VA DNS. This showed up recently as someone pointed out that the certificate was nearing its expiration date.. but search.gov is using Let's Encrypt, so it's perfectly normal for them to constantly be within 60 days of the expiration. We should tear this down to clean it up and remove the need to explain this again if it comes up.
Need to:
AC