For the thread -- we're aware and looking into this. n...@cloudflare.com being the best place to report these kinds of things.
<https://www.cloudflare.com/> __________________ *Justin Paine* He/Him/His Head of Trust & Safety 101 Townsend St, San Francisco, CA 94107 <https://www.cloudflare.com/> *PGP:* BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D <https://keys.openpgp.org/vks/v1/by-fingerprint/BBAA6BCE33057FD66452711557B60114DE0B314D> On Tue, Apr 6, 2021 at 2:49 PM Mark Andrews <ma...@isc.org> wrote: > > > > On 7 Apr 2021, at 05:59, Arne Jensen <darkde...@darkdevil.dk> wrote: > > > > > > Den 06-04-2021 kl. 21:47 skrev Seth Mattinen: > >> > >>> > >>> What kind of local problem or network problems could cause a servfail > >>> response from the authoritative ns? > >> > >> > >> > >> I'm beginning to think this is a DNSSEC related problem, I'll ask on > >> the pdns-users list. I see it's asking for a DS record on > >> login.authorize.net.cdn.cloudflare.net when the nearest one appears to > >> be at cloudflare.net, so for some reason that's not being applied all > >> the way down. > > > > I do somehow take that "local problem" part back again, which also > > wasn't intended exactly in the way that it was written: > > > > -> > > > https://dnssec-analyzer.verisignlabs.com/login.authorize.net.cdn.cloudflare.net > > > > Is looking at login.authorize.net.cdn.cloudflare.net/DNSKEY, but failing > > due to the SERVFAIL. > > > > -> https://dnsviz.net/d/login.authorize.net.cdn.cloudflare.net/dnssec/ > > > > Seems to claim that it works just fine. > > > > Asking login.authorize.net.cdn.cloudflare.net/DNSKEY or > > login.authorize.net.cdn.cloudflare.net/DS returns SERVFAIL here too. > > > > > > But I don't think you should be querying /DNSKEY or /DS, except a the > > (current) delegation's root, e.g. as you say yourself, at > > "cloudflare.net" in this case. > > It shouldn’t matter if you query for them. If the records don’t exist then > you should get back NOERROR/NODATA responses with NSEC/NSEC3 records to > prove > those responses. > > Note the server claims that TXT records exist at > login.authorize.net.cdn.cloudflare.net > but can’t return them. > > > % dig login.authorize.net.cdn.cloudflare.net type65 @198.41.222.31 +dnssec > > ; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net type65 @ > 198.41.222.31 +dnssec > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1641 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ;; QUESTION SECTION: > ;login.authorize.net.cdn.cloudflare.net. IN TYPE65 > > ;; AUTHORITY SECTION: > cloudflare.net. 5 IN SOA ns1.cloudflare.net. > dns.cloudflare.com. 1617743605 10000 2400 604800 5 > login.authorize.net.cdn.cloudflare.net. 5 IN NSEC \ > 000.login.authorize.net.cdn.cloudflare.net. A HINFO MX TXT AAAA LOC SRV > NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 SPF URI CAA > cloudflare.net. 5 IN RRSIG SOA 13 2 5 20210407221325 > 20210405201325 34505 cloudflare.net. > BfBNcB9zG3T6d7mu5okde144g0OlxBazynPBD78o/ig5y0JHWo+L2ufu > mhSfOquAkq6lqa/V+3yySMERlQKcIQ== > login.authorize.net.cdn.cloudflare.net. 5 IN RRSIG NSEC 13 6 5 > 20210407221325 20210405201325 34505 cloudflare.net. > +shgKZcdkQZvH9ZFEZvdXyHe7+FkX1mCit9xe4V7A+uEEYi3L7vnf16x > Wyvzs0o4TlQiOJlYBG4vEkKE3d8NwQ== > > ;; Query time: 17 msec > ;; SERVER: 198.41.222.31#53(198.41.222.31) > ;; WHEN: Wed Apr 07 07:13:25 AEST 2021 > ;; MSG SIZE rcvd: 417 > > % > > % dig login.authorize.net.cdn.cloudflare.net txt @198.41.222.31 +dnssec > > ; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net txt @ > 198.41.222.31 +dnssec > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46557 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1232 > ;; QUESTION SECTION: > ;login.authorize.net.cdn.cloudflare.net. IN TXT > > ;; Query time: 15 msec > ;; SERVER: 198.41.222.31#53(198.41.222.31) > ;; WHEN: Wed Apr 07 07:14:22 AEST 2021 > ;; MSG SIZE rcvd: 67 > > % > > > Or if "cdn.cloudflare.net" had been a sub-delegation, then at that > point... > > > > -- > > Med venlig hilsen / Kind regards, > > Arne Jensen > > > > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > >