> On 7 Apr 2021, at 05:59, Arne Jensen <darkdevil@darkdevil.dk> wrote:
>
>
> Den 06-04-2021 kl. 21:47 skrev Seth Mattinen:
>>
>>>
>>> What kind of local problem or network problems could cause a servfail
>>> response from the authoritative ns?
>>
>>
>>
>> I'm beginning to think this is a DNSSEC related problem, I'll ask on
>> the pdns-users list. I see it's asking for a DS record on
>> login.authorize.net.cdn.cloudflare.net when the nearest one appears to
>> be at cloudflare.net, so for some reason that's not being applied all
>> the way down.
>
> I do somehow take that "local problem" part back again, which also
> wasn't intended exactly in the way that it was written:
>
> ->
> https://dnssec-analyzer.verisignlabs.com/login.authorize.net.cdn.cloudflare.net
>
> Is looking at login.authorize.net.cdn.cloudflare.net/DNSKEY, but failing
> due to the SERVFAIL.
>
> -> https://dnsviz.net/d/login.authorize.net.cdn.cloudflare.net/dnssec/
>
> Seems to claim that it works just fine.
>
> Asking login.authorize.net.cdn.cloudflare.net/DNSKEY or
> login.authorize.net.cdn.cloudflare.net/DS returns SERVFAIL here too.
>
>
> But I don't think you should be querying /DNSKEY or /DS, except a the
> (current) delegation's root, e.g. as you say yourself, at
> "cloudflare.net" in this case.
It shouldn’t matter if you query for them. If the records don’t exist then
you should get back NOERROR/NODATA responses with NSEC/NSEC3 records to prove
those responses.
Note the server claims that TXT records exist at login.authorize.net.cdn.cloudflare.net
but can’t return them.
% dig login.authorize.net.cdn.cloudflare.net type65 @198.41.222.31 +dnssec
; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net type65 @198.41.222.31 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1641
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.cdn.cloudflare.net. IN TYPE65
;; AUTHORITY SECTION:
cloudflare.net. 5 IN SOA ns1.cloudflare.net. dns.cloudflare.com. 1617743605 10000 2400 604800 5
login.authorize.net.cdn.cloudflare.net. 5 IN NSEC \000.login.authorize.net.cdn.cloudflare.net. A HINFO MX TXT AAAA LOC SRV NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 SPF URI CAA
cloudflare.net. 5 IN RRSIG SOA 13 2 5 20210407221325 20210405201325 34505 cloudflare.net. BfBNcB9zG3T6d7mu5okde144g0OlxBazynPBD78o/ig5y0JHWo+L2ufu mhSfOquAkq6lqa/V+3yySMERlQKcIQ==
login.authorize.net.cdn.cloudflare.net. 5 IN RRSIG NSEC 13 6 5 20210407221325 20210405201325 34505 cloudflare.net. +shgKZcdkQZvH9ZFEZvdXyHe7+FkX1mCit9xe4V7A+uEEYi3L7vnf16x Wyvzs0o4TlQiOJlYBG4vEkKE3d8NwQ==
;; Query time: 17 msec
;; SERVER: 198.41.222.31#53(198.41.222.31)
;; WHEN: Wed Apr 07 07:13:25 AEST 2021
;; MSG SIZE rcvd: 417
%
% dig login.authorize.net.cdn.cloudflare.net txt @198.41.222.31 +dnssec
; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net txt @198.41.222.31 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46557
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.cdn.cloudflare.net. IN TXT
;; Query time: 15 msec
;; SERVER: 198.41.222.31#53(198.41.222.31)
;; WHEN: Wed Apr 07 07:14:22 AEST 2021
;; MSG SIZE rcvd: 67
%
> Or if "cdn.cloudflare.net" had been a sub-delegation, then at that point...
>
> --
> Med venlig hilsen / Kind regards,
> Arne Jensen
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org