Cdc.gov not resolving

kovatsgeorge · December 11, 2020, 4:37pm

cdc.gov isn’t resolving?

nslookup www.cdc.gov
;; Got SERVFAIL reply from 1.1.1.1, trying next server
;; Got SERVFAIL reply from 1.0.0.1, trying next server
Server:		2606:4700:4700::1111
Address:	2606:4700:4700::1111#53
** server can't find www.cdc.gov: SERVFAIL

sdayman · December 11, 2020, 4:39pm

@mvavrusa was checking on this a while back. Maybe he’s found out what the problem was/is.

mvavrusa · December 11, 2020, 5:04pm

There’s a subset of nameservers for akam.cdc.gov that doesn’t return keys https://dnsviz.net/d/www.cdc.gov/dnssec/ so if you’re unlucky it’s going to fail. I added another workaround so it should be better.

kovatsgeorge · December 11, 2020, 5:14pm

Either I was unlucky or that worked. @mvavrusa looks good now on my end, thanks!

subwayjared · January 14, 2021, 5:36am

I had to disable DNSSEC on my DNS server to visit.

jglazko · January 16, 2021, 4:32pm

Agreed, having issues reaching cdc.gov this morning. Looks like culprit is as posted above. Maybe some more yet to add?

|Jan 16 11:08:37|unbound|56538:0|info: control cmd: dump_infra|
| --- | --- | --- | --- |
|Jan 16 11:08:35|unbound|56538:1|info: Could not establish a chain of trust to keys for akam.cdc.gov. DNSKEY IN|
|Jan 16 11:08:35|unbound|56538:1|info: Missing DNSKEY RRset in response to DNSKEY query.|
|Jan 16 11:08:35|unbound|56538:1|info: query response was nodata ANSWER|
|Jan 16 11:08:35|unbound|56538:1|info: reply from <.> 1.0.0.1#853|
|Jan 16 11:08:35|unbound|56538:1|info: response for akam.cdc.gov. DNSKEY IN|
|Jan 16 11:08:35|unbound|56538:3|info: Could not establish a chain of trust to keys for akam.cdc.gov. DNSKEY IN|
|Jan 16 11:08:35|unbound|56538:3|info: Missing DNSKEY RRset in response to DNSKEY query.|
|Jan 16 11:08:35|unbound|56538:3|info: query response was nodata ANSWER|
|Jan 16 11:08:35|unbound|56538:3|info: reply from <.> 1.0.0.1#853|
|Jan 16 11:08:35|unbound|56538:3|info: response for akam.cdc.gov. DNSKEY IN|