For the thread -- we're aware and looking into this. noc@cloudflare.com being the best place to report these kinds of things. <https://www.cloudflare.com/> __________________ *Justin Paine* He/Him/His Head of Trust & Safety 101 Townsend St, San Francisco, CA 94107 <https://www.cloudflare.com/> *PGP:* BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D <https://keys.openpgp.org/vks/v1/by-fingerprint/BBAA6BCE33057FD66452711557B60114DE0B314D> On Tue, Apr 6, 2021 at 2:49 PM Mark Andrews <marka@isc.org> wrote:
On 7 Apr 2021, at 05:59, Arne Jensen <darkdevil@darkdevil.dk> wrote:
Den 06-04-2021 kl. 21:47 skrev Seth Mattinen:
What kind of local problem or network problems could cause a servfail response from the authoritative ns?
I'm beginning to think this is a DNSSEC related problem, I'll ask on the pdns-users list. I see it's asking for a DS record on login.authorize.net.cdn.cloudflare.net when the nearest one appears to be at cloudflare.net, so for some reason that's not being applied all the way down.
I do somehow take that "local problem" part back again, which also wasn't intended exactly in the way that it was written:
->
https://dnssec-analyzer.verisignlabs.com/login.authorize.net.cdn.cloudflare....
Is looking at login.authorize.net.cdn.cloudflare.net/DNSKEY, but failing due to the SERVFAIL.
-> https://dnsviz.net/d/login.authorize.net.cdn.cloudflare.net/dnssec/
Seems to claim that it works just fine.
Asking login.authorize.net.cdn.cloudflare.net/DNSKEY or login.authorize.net.cdn.cloudflare.net/DS returns SERVFAIL here too.
But I don't think you should be querying /DNSKEY or /DS, except a the (current) delegation's root, e.g. as you say yourself, at "cloudflare.net" in this case.
It shouldn’t matter if you query for them. If the records don’t exist then you should get back NOERROR/NODATA responses with NSEC/NSEC3 records to prove those responses.
Note the server claims that TXT records exist at login.authorize.net.cdn.cloudflare.net but can’t return them.
% dig login.authorize.net.cdn.cloudflare.net type65 @198.41.222.31 +dnssec
; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net type65 @ 198.41.222.31 +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1641 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;login.authorize.net.cdn.cloudflare.net. IN TYPE65
;; AUTHORITY SECTION: cloudflare.net. 5 IN SOA ns1.cloudflare.net. dns.cloudflare.com. 1617743605 10000 2400 604800 5 login.authorize.net.cdn.cloudflare.net. 5 IN NSEC \ 000.login.authorize.net.cdn.cloudflare.net. A HINFO MX TXT AAAA LOC SRV NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 SPF URI CAA cloudflare.net. 5 IN RRSIG SOA 13 2 5 20210407221325 20210405201325 34505 cloudflare.net. BfBNcB9zG3T6d7mu5okde144g0OlxBazynPBD78o/ig5y0JHWo+L2ufu mhSfOquAkq6lqa/V+3yySMERlQKcIQ== login.authorize.net.cdn.cloudflare.net. 5 IN RRSIG NSEC 13 6 5 20210407221325 20210405201325 34505 cloudflare.net. +shgKZcdkQZvH9ZFEZvdXyHe7+FkX1mCit9xe4V7A+uEEYi3L7vnf16x Wyvzs0o4TlQiOJlYBG4vEkKE3d8NwQ==
;; Query time: 17 msec ;; SERVER: 198.41.222.31#53(198.41.222.31) ;; WHEN: Wed Apr 07 07:13:25 AEST 2021 ;; MSG SIZE rcvd: 417
%
% dig login.authorize.net.cdn.cloudflare.net txt @198.41.222.31 +dnssec
; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net txt @ 198.41.222.31 +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46557 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1232 ;; QUESTION SECTION: ;login.authorize.net.cdn.cloudflare.net. IN TXT
;; Query time: 15 msec ;; SERVER: 198.41.222.31#53(198.41.222.31) ;; WHEN: Wed Apr 07 07:14:22 AEST 2021 ;; MSG SIZE rcvd: 67
%
Or if "cdn.cloudflare.net" had been a sub-delegation, then at that point...
-- Med venlig hilsen / Kind regards, Arne Jensen
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org