On 26/05/2020 12:00, Viktor Dukhovni wrote:
On Thu, Apr 23, 2020 at 08:46:02AM -0400, Shumon Huque wrote:Great, thanks. Not yet resolved FWIW: http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/cloudflare.com.htmlI didn't see the reason for the SERVFAIL in the dnsviz output. So I ran my own debugging tool on these domains. All the CF servers for the zone are unresponsive to DNS queries for the TLSA record at those names. I assume that's why we get SERVFAIL. They respond to other queries fine such as apex SOA, A, etc):I've rescanned the three domains, still broken (same URL, updated content), and yes silence. @alla.ns.cloudflare.com.[173.245.58.62] ; <<>> DiG 9.16.2 <<>> +noidnout +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mx01.mx-hosting.ch @173.245.58.62 ;; connection timed out; no servers could be reached @guss.ns.cloudflare.com.[173.245.59.172] ; <<>> DiG 9.16.2 <<>> +noidnout +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mx01.mx-hosting.ch @173.245.59.172 ;; connection timed out; no servers could be reached Unclear why the TLSA queries are dropped, and by whom (is Cloudflare just proxying breakage at the customer's DNS?)
I've looked into the error on our side and the reason for those SERVFAILs are due to malformed record content. This is likely due to an older version of our API not performing the correct validations for TLSA records and it is unfortunate the zone owners never checked the output.
Christian Elmerot, Cloudflare _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
