Dear Stephane, Whilst I have not got an answer, I have managed to get an example of a failure using Cloudflare:-
>; <<>> DiG 9.11.19 <<>> @1.1.1.1 banquepopulaire.fr ns >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41975 >;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 1452 >;; QUESTION SECTION: >;banquepopulaire.fr. IN NS > >;; Query time: 14 msec >;; SERVER: 1.1.1.1#53(1.1.1.1) >;; WHEN: Sat May 30 18:02:59 BST 2020 >;; MSG SIZE rcvd: 47 and thereafter:- >; <<>> DiG 9.11.19 <<>> @1.1.1.1 www.banquepopulaire.fr >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53725 >;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 1452 >;; QUESTION SECTION: >;www.banquepopulaire.fr. IN A > >;; Query time: 4148 msec >;; SERVER: 1.1.1.1#53(1.1.1.1) >;; WHEN: Sat May 30 18:03:21 BST 2020 >;; MSG SIZE rcvd: 51 I wonder whether the first one (SERVFAIL for NS) is a clue. bcpe.fr is delegated to the same servers which do not answer NS queries. Thus, NS RRSET is only available from the parent (.fr) and not the child. Maybe this upsets child-centric resolvers. I am just guessing though... The whole thing is très mauvaise pratique as reported, all the more so for a bank! Best wishes, Matthew ------ >From: Stephane Bortzmeyer <[email protected]> >To: DNS Operations List <[email protected]> >Cc: >Date: Sat, 30 May 2020 18:09:24 +0200 >Subject: [dns-operations] A strange DNS problem (intermittent SERVFAILs) >Several users on Twitter reported problems accessing Banque Populaire >(a French bank) https://www.banquepopulaire.fr >https://www.ibps.loirelyonnais.banquepopulaire.fr >https://www.ibps.bpaca.banquepopulaire.fr >https://www.ibps.mediterranee.banquepopulaire.fr/ > >From the limited reports, all errors point to a DNS issue. (For one >user, adding the IP address in /etc/hosts solved the problem.) > >But testing with existing resolvers and with the RIPE Atlas probes do >not show a widespread outage. > >The existing DNS configuration is clearly very questionable, such as a >zone delegated to just one name server, and a broken one, replying >REFUSED for NS and SOA queries. > >The question is "how did this incorrect setup can produce *sometimes* >a resolution failure?" > >Details in french, plus dig outputs (not in french) are at ><http://shaarli.guiguishow.info/?F7a6EA>. > >_______________________________________________ >dns-operations mailing list >[email protected] >https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
