Re: [dns-operations] Signature expired for the DS of .ch at Cloudflare ?

[Marek Vavruša]

Hi Stephane,

We published a blog post with RCA and more details here
https://blog.cloudflare.com/1-1-1-1-lookup-failures-on-october-4th-2023/
The issue was the local resolver root zone copy was stale and not
removed from production in some places.
I'm sorry for any issues encountered.

Marek

On Wed, 4 Oct 2023 at 01:53, Stephane Bortzmeyer  wrote:
>
> On Wed, Oct 04, 2023 at 10:35:14AM +0200,
>  Stephane Bortzmeyer  wrote
>  a message of 57 lines which said:
>
> > Other instances of Cloudflare has the correct info:
> >
> > % dig +cd +nsid @1.1.1.1 DS ch.
>
> https://www.cloudflarestatus.com/
>
> Investigating - Cloudflare is aware of, and investigating, DNS resolution 
> issues which potentially impacts multiple users using 1.1.1.1 public resolver 
> and/or WARP.
>
> Further detail will be provided as more information becomes available.
> Oct 04, 2023 - 08:19 UTC
>
> ___
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DHL.com failures

[Viktor Dukhovni]

On Wed, Oct 04, 2023 at 04:46:42PM +0200, Martin Wismer wrote:

> we could get answer from all of the dhl.com NS RR TXT.  It's a big
> Answer, biger than 2200 Byte. May be they have rate-limit's on it.

That's not the issue.  The OP also reported that answers arrive when no
EDNS options are used (no NSID and no COOKIEs), but EDNS option
intolerance is EDNS-noncompliance.  Unsupported options must be simply
ignored, rather than cause the query to be dropped.

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DHL.com failures

[Martin Wismer]

Hello
we could get answer from all of the dhl.com NS RR TXT.
It's a big Answer, biger than 2200 Byte. May be they have rate-limit's 
on it.

Regards
  Martin.Wismer.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] DHL.com failures

[Viktor Dukhovni]

On Wed, Oct 04, 2023 at 03:10:13PM +0200, Borja Marcos via dns-operations wrote:

> dhl.com/TXT: No response was received from the server over UDP (tried
> 7 times) until the NSID EDNS option was removed (however, this server
> appeared to respond legitimately to other queries with the NSID EDNS
> option present).

Also, the NS RRset at the ".COM" parent zone has only 3 of the six
nameservers listed at the child zone apex.  And the text RRset is rather
rich with "domain verification" tokens, perhaps at least some need not
be persisted after the initial verification?

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] DHL.com failures

[Borja Marcos via dns-operations]

--- Begin Message ---

Maybe someone from DHL can come to the courtesy phone? 

Our TXT queries are failing because their EDNS implementation is faulty.

(from dnsviz.net )

dhl.com/TXT: No response was received from the server over UDP (tried 7 times) 
until the NSID EDNS option was removed (however, this server appeared to 
respond legitimately to other queries with the NSID EDNS option present).


We have disabled DNS cookies when querying their authoritative servers but, 
well, I’d rather enable them again.

Cheers,




Borja Marcos.



--- End Message ---
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Re: [dns-operations] Signature expired for the DS of .ch at Cloudflare ?

[Stephane Bortzmeyer]

On Wed, Oct 04, 2023 at 10:35:14AM +0200,
 Stephane Bortzmeyer  wrote 
 a message of 57 lines which said:

> Other instances of Cloudflare has the correct info:
> 
> % dig +cd +nsid @1.1.1.1 DS ch.

https://www.cloudflarestatus.com/

Investigating - Cloudflare is aware of, and investigating, DNS resolution 
issues which potentially impacts multiple users using 1.1.1.1 public resolver 
and/or WARP. 

Further detail will be provided as more information becomes available.
Oct 04, 2023 - 08:19 UTC

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] Signature expired for the DS of .ch at Cloudflare ?

[Stephane Bortzmeyer]

Other instances of Cloudflare has the correct info:

% dig +cd +nsid @1.1.1.1 DS ch.

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> +cd +nsid @1.1.1.1 DS ch.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20816
;; flags: qr aa rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; NSID: 35 33 38 6d 31 37 38 ("538m178")
;; QUESTION SECTION:
;ch.IN DS

;; ANSWER SECTION:
ch. 86400 IN DS 10 13 2 (
0E175543A74D9083EA977BAB2BEE98A771995F80982F
B796B2B0B9CC6413D1A6 )
ch. 86400 IN RRSIG DS 8 1 86400 (
2023100405 2023092104 11019 .
U0PZSe2x3/R7P1+TKdnX9DSFxRtfvJIEdnI3q4MhSVuq
jX8HiqpU613EAyLF3s9IINPg+ctOSKWOzULMpZK+sbX9
NBzzRevhbHFziGNgqupscrxFKX7PGvRXKjmwfcfi7X4n
nvOlpsW0glNixT4M4vjdzO2bYDmgwzfwoosDy3r2W5e8
VKBn4lj75nqI/fgtLJQyi2pDHokZ5qRnzQ4/lsajwRsP
CnOgGnmtTyq3HRnI9cng5Lqv6yDHYacIk2Fpte6ehirN
oLwGaSwtWk7Tf1k/GpNKB3kpYb/e8VYVQ7c1ydwk7on7
tVn6hUaNlHpVbj8eFHXQYmRfvAl8+VAMBw== )

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Wed Oct 04 10:34:06 CEST 2023
;; MSG SIZE  rcvd: 377

% dig  +nsid @1.1.1.1 DS ch.

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> +nsid @1.1.1.1 DS ch.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52317
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 7 (Signature Expired): (failed to verify ch. DS: RRSIG ch., expiration = 
1696395600)
; NSID: 35 33 32 6d 33 33 ("532m33")
;; QUESTION SECTION:
;ch.IN DS

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Wed Oct 04 10:34:50 CEST 2023
;; MSG SIZE  rcvd: 106
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations