Having tried to access AWS's console today (for the first time in a while), an NXDOMAIN (using Knot Resolver) was returned for eu-west-1.console.aws.amazon.com (to which AWS had redirected the browser).
Trying a lab of 4 validating caching resolvers, PowerDNS returned the answer:- >; <<>> DiG 9.11.29 <<>> @dt05 -p 534 eu-west-1.console.aws.amazon.com >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51057 >;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 > >;; OPT PSEUDOSECTION: >; EDNS: version: 0, flags:; udp: 512 >;; QUESTION SECTION: >;eu-west-1.console.aws.amazon.com. IN A > >;; ANSWER SECTION: >eu-west-1.console.aws.amazon.com. 60 IN CNAME >gr.console-geo.eu-west-1.amazonaws.com. >gr.console-geo.eu-west-1.amazonaws.com. 60 IN CNAME >a1b62e4959fcbcf72.awsglobalaccelerator.com. >a1b62e4959fcbcf72.awsglobalaccelerator.com. 300 IN A 75.2.73.50 >a1b62e4959fcbcf72.awsglobalaccelerator.com. 300 IN A 99.83.251.236 > >;; Query time: 1166 msec >;; SERVER: 193.201.42.59#534(193.201.42.59) >;; WHEN: Mon Feb 07 17:24:27 GMT Standard Time 2022 >;; MSG SIZE rcvd: 195 but Bind & Unbound returned SERVFAIL and Knot Resolver returned NXDOMAIN. https://dnsviz.net/d/console.aws.amazon.com/YgEn7g/dnssec/ suggests a DNSSEC issue showing some things being BOGUS. However (unless I am missing something obvious), there is no DNSSEC involved! Can anyone more knowledgeable shed any light on what might be going wrong here? I wonder whether this is relevant:- >; <<>> DiG 9.11.29 <<>> @ns-912.amazon.com +norec -t ns aws.amazon.com >; (1 server found) >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34133 >;; flags: qr; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 > >;; QUESTION SECTION: >;aws.amazon.com. IN NS > >;; ANSWER SECTION: >aws.amazon.com. 600 IN NS ns-912.amazon.com. >aws.amazon.com. 60 IN CNAME >tp.8e49140c2-frontier.amazon.com. > >;; Query time: 156 msec >;; SERVER: 52.9.146.37#53(52.9.146.37) >;; WHEN: Mon Feb 07 14:17:31 GMT Standard Time 2022 >;; MSG SIZE rcvd: 89 but it is something of a stab in the dark. Also, is there anyone from AWS around these parts who might have an insight? -- Best wishes, Matthew _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
