My first DNSSEC problem…

Hit my first DNSSEC failure, couldn’t resolve www.cdc.gov from Entanet DNS cache.

My DNS troubleshooting is too old fashioned and I couldn’t see anything wrong other than extremely convoluted DNS resolution (CNAME chain, authoritative servers renamed, one dead server in chain, two delegated servers not listed in zone etc). Using dig with “+trace” worked to get the address.

Queried it with Entanet hostmaster who replied over Friday night that records are failing DNSSEC validation and so rejected (as intended by their configuration), and sent me links to DNSVIZ showing the problem.

Fortunately I wasn’t after information about an imminent zombie apocalypse.

I also noted that the CNAME chain side steps the .GOV zone signing requirement. This appears to defeat the intent of the USG in requiring .GOV be signed since it means one could spoof the DNS resolution for the website www.cdc.gov without defeating the added encryption features of DNSSEC, by spoofing the later edgesuite or akamai DNS results. Although DNSSEC would protect other uses of the domain CDC.GOV (although email is sent to a domain not currently using DNSSEC). Many other practices in website design can allow similar exploits, but the CDC website seems to avoid most of these pitfalls (for example Omniture metrics javascript is served from within the cdc.gov domain).

Credit to Entanet and their hostmaster for a prompt and accurate response.