Re: [dns-operations] console.aws.amazon.com - breakage & confusing output from DNSViz?

Mon, 07 Feb 2022 10:55:56 -0800 

On Mon, Feb 07, 2022 at 06:27:37PM +0000, Matthew Richardson wrote:

> but Bind & Unbound returned SERVFAIL and Knot Resolver returned NXDOMAIN.
> 
> https://dnsviz.net/d/console.aws.amazon.com/YgEn7g/dnssec/
> 
> suggests a DNSSEC issue showing some things being BOGUS.  However (unless I
> am missing something obvious), there is no DNSSEC involved!

The more likely source of trouble can be seen by clickin on the "Errors"
button:

    aws.amazon.com zone: The server(s) did not respond authoritatively for the 
namespace. (34.196.62.143, 52.9.140.222, 52.9.146.37, 52.16.221.207, 
52.19.138.45, 52.86.96.73)
    aws.amazon.com/CNAME: The Authoritative Answer (AA) flag was not set in the 
response. (34.196.62.143, 52.9.140.222, 52.9.146.37, 52.16.221.207, 
52.19.138.45, 52.86.96.73, UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN)
    console.aws.amazon.com zone: The server(s) did not respond authoritatively 
for the namespace. (34.196.62.143, 52.9.140.222, 52.9.146.37, 52.16.221.207, 
52.19.138.45, 52.86.96.73)
    us-east-1.console.aws.amazon.com zone: The server(s) did not respond 
authoritatively for the namespace. (34.196.62.143, 52.9.140.222, 52.9.146.37, 
52.16.221.207, 52.19.138.45, 52.86.96.73)

> Can anyone more knowledgeable shed any light on what might be going wrong
> here?  I wonder whether this is relevant:-

I doubt I'm especially more knowledgeable, but perhaps at times more
observant of small details...

> >; <<>> DiG 9.11.29 <<>> @ns-912.amazon.com +norec -t ns aws.amazon.com
> >; (1 server found)
> >;; global options: +cmd
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34133
> >;; flags: qr; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

note the lack of the "aa" flag, expected from an authoritative server.


> >;; ANSWER SECTION:
> >aws.amazon.com.         600     IN      NS      ns-912.amazon.com.
> >aws.amazon.com.         60      IN      CNAME   
> >tp.8e49140c2-frontier.amazon.com.

As for NXDOMAIN, that was perhaps the status of the target of the alias
at some point.  The CNAME target may have changed since, or a previous
NXDOMAIN may have expired from caches, ...

-- 
    VIktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to