Cdc.gov not resolving

cdc.gov isn’t resolving?

nslookup www.cdc.gov
;; Got SERVFAIL reply from 1.1.1.1, trying next server
;; Got SERVFAIL reply from 1.0.0.1, trying next server
Server:		2606:4700:4700::1111
Address:	2606:4700:4700::1111#53
** server can't find www.cdc.gov: SERVFAIL

@mvavrusa was checking on this a while back. Maybe he’s found out what the problem was/is.

There’s a subset of nameservers for akam.cdc.gov that doesn’t return keys www.cdc.gov | DNSViz so if you’re unlucky it’s going to fail. I added another workaround so it should be better.

Either I was unlucky or that worked. @mvavrusa looks good now on my end, thanks!

I had to disable DNSSEC on my DNS server to visit.

Agreed, having issues reaching cdc.gov this morning. Looks like culprit is as posted above. Maybe some more yet to add?

|Jan 16 11:08:37|unbound|56538:0|info: control cmd: dump_infra|
| --- | --- | --- | --- |
|Jan 16 11:08:35|unbound|56538:1|info: Could not establish a chain of trust to keys for akam.cdc.gov. DNSKEY IN|
|Jan 16 11:08:35|unbound|56538:1|info: Missing DNSKEY RRset in response to DNSKEY query.|
|Jan 16 11:08:35|unbound|56538:1|info: query response was nodata ANSWER|
|Jan 16 11:08:35|unbound|56538:1|info: reply from <.> 1.0.0.1#853|
|Jan 16 11:08:35|unbound|56538:1|info: response for akam.cdc.gov. DNSKEY IN|
|Jan 16 11:08:35|unbound|56538:3|info: Could not establish a chain of trust to keys for akam.cdc.gov. DNSKEY IN|
|Jan 16 11:08:35|unbound|56538:3|info: Missing DNSKEY RRset in response to DNSKEY query.|
|Jan 16 11:08:35|unbound|56538:3|info: query response was nodata ANSWER|
|Jan 16 11:08:35|unbound|56538:3|info: reply from <.> 1.0.0.1#853|
|Jan 16 11:08:35|unbound|56538:3|info: response for akam.cdc.gov. DNSKEY IN|

@mvavrusa Issue with www.cdc.gov resolving seems to have re-emerged when using Cloudflare DNS over HTTPS. Using WARP doesn’t seem to have an issue though.

Is it working better now? Some upstreams seem to be having trouble.

Sadly, no. Just retried.

Also want to correct my previous post. I’m using 1.1.1.1 with DNS over TLS (with unbound as a client).

Reloaded unbound today and www.cdc.gov started resolving.

I had this problem and it went away around the same time as this thread, but has returned for me today.

@mvavrusa Sorry, re-reading you earlier post - does it look like there’s something with akam.cdc.gov DNS that needs fixed? Not versed in DNS nuances - if this is enough to report up, I can escalate with their sysops folks.

@mvavrusa Issue returned for me as well. Nothing cdc.gov resolves.

Thanks for letting me know! Hm, I don’t see any widespread problems. Can you add an example domain and/or https://1.1.1.1/help debug info?

Seems to be working again…