A few weeks ago we got reports of users unable to visit the certs.godaddy.com site, which had previously worked. Digging into it, it looks to be a DNS problem. We run our own name servers (BIND) so I do have access to configurations, though to the best of my knowledge, no config changes were made on our end. Running it through dnsviz.net also reports a problem:
> secureserver.net. to where.secureserver.net.: The server(s) responded > with a malformed response or with an invalid RCODE. (208.109.80.40, > 208.109.132.40)secureserver.net. to where.secureserver.net.: The > server(s) were not responsive to queries over TCP. (208.109.80.40, > 208.109.132.40) > certs.gd.where.secureserver.net./A: The response had an invalid RCODE > (FORMERR) until EDNS was disabled. (208.109.132.40) > certs.gd.where.secureserver.net./A: The response had an invalid RCODE > (FORMERR) until EDNS was disabled. (208.109.80.40) Taking packet captures on our name servers while querying themselves (dig @127.0.0.1 certs.godaddy.com) will sometimes show a response from the GoDaddy name server, but our name servers don't seem to register it, they'll keep asking for NS records until the dig query times out. Other times it'll return a Form-Err. I seem to be able to reproduce the Form-Err reliably by doing a dig +trace, or querying the authoritative name server for the target of the certs.godaddy.com CNAME (certs.gd.where.secureserver.net): dig @gns1.secureserver.net certs.gd.where.secureserver.net +edns=0 (That query succeeds if you use +noedns instead) Interestingly, we have 2 name servers, plus my own personal name servers, which do not have this issue. As mentioned in the DNSviz errors, the difference seems to be EDNS. I took a peek at some of the packet captures, and this appears to be the only significant difference: > <root>: type OPT > Name: <Root> > Type: OPT (41) > UDP payload size: 4096 > Higher bits in extended RCODE: 0x00 > ENDS0 version: 0 > Z: 0x8000 > 1... .... .... .... = DO bit: Accepts DNSSEC security RRs > .000 0000 0000 0000 = Reserved: 0x0000 > Data length: 0 Also interestingly, queries of the parent domain, secureserver.net, work fine, though they have a completely different set of authoritative name servers. Anyone else run into this or have ideas what it could be? Does GoDaddy have a firewall that's mangling EDNS queries? Thanks, -- Michael Smitasin Network Engineer LBLnet Services Group Lawrence Berkeley National Laboratory
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
