On Thu, Apr 23, 2020 at 2:25 AM Viktor Dukhovni <[email protected]> wrote:
> On Mon, Apr 20, 2020 at 11:55:38AM +0100, Christian Elmerot wrote: > > > On 2020-04-19 07:55, Viktor Dukhovni wrote: > > > The CloudFlare auth servers return ServFail for the TLSA lookup of: > > > > > > https://dnsviz.net/d/_25._tcp.mx01.mx-hosting.ch/XpvvXg/dnssec/ > > > https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/Xpvvcg/dnssec/ > > > https://dnsviz.net/d/_25._tcp.box.nobodyghost.net/Xpvvow/dnssec/ > > > > Those ServFails are being looked into as that is something different and > > a bug I believe. I'll get back with more information when the issue's > > been identified in our pipeline. > > Great, thanks. Not yet resolved FWIW: > > http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/cloudflare.com.html I didn't see the reason for the SERVFAIL in the dnsviz output. So I ran my own debugging tool on these domains. All the CF servers for the zone are unresponsive to DNS queries for the TLSA record at those names. I assume that's why we get SERVFAIL. They respond to other queries fine such as apex SOA, A, etc): Abbreviated transcript from the first: [...] # QUERY: _25._tcp.mail.markleenen.eu. TLSA IN at zone eu. address 194.146.106.90 # [SECURE Referral to zone: markleenen.eu. in 0.080 s] ZONE: markleenen.eu. NS: darl.ns.cloudflare.com. 173.245.59.98 2606:4700:58::adf5:3b62 NS: tegan.ns.cloudflare.com. 173.245.58.226 2606:4700:50::adf5:3ae2 DS: 2371 13 2 23de654eeaae6a7acf8192d2604cdaad5b0ae6abc4dc6456e89559fb5d7a19f0 DNSKEY: markleenen.eu. 257 2371 ECDSA-P256 (13) 512-bits DNSKEY: markleenen.eu. 256 34505 ECDSA-P256 (13) 512-bits # QUERY: _25._tcp.mail.markleenen.eu. TLSA IN at zone markleenen.eu. address 173.245.59.98 WARN: UDP query timeout for 173.245.59.98 WARN: UDP query timeout for 173.245.59.98 # QUERY: _25._tcp.mail.markleenen.eu. TLSA IN at zone markleenen.eu. address 2606:4700:58::adf5:3b62 WARN: UDP query timeout for 2606:4700:58::adf5:3b62 WARN: UDP query timeout for 2606:4700:58::adf5:3b62 # QUERY: _25._tcp.mail.markleenen.eu. TLSA IN at zone markleenen.eu. address 173.245.58.226 WARN: UDP query timeout for 173.245.58.226 WARN: UDP query timeout for 173.245.58.226 # QUERY: _25._tcp.mail.markleenen.eu. TLSA IN at zone markleenen.eu. address 2606:4700:50::adf5:3ae2 WARN: UDP query timeout for 2606:4700:50::adf5:3ae2 WARN: UDP query timeout for 2606:4700:50::adf5:3ae2 Queries to all servers for zone markleenen.eu. failed.
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
