[dns-operations] Funny DNSSEC problem

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Apr 7 19:37:03 UTC 2015 

The domain juralib.nologs.org does not resolve (SERVFAIL) from Free
(2nd ISP in France, uses DNSSEC validation).

% dig A juralib.noblogs.org         

; <<>> DiG 9.9.2-P2 <<>> A juralib.noblogs.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25509
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;juralib.noblogs.org.	IN A

;; Query time: 92 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Tue Apr  7 21:33:10 2015
;; MSG SIZE  rcvd: 48

[192.168.2.254 is the CPE, managed by Free: it runds dnsmasq and
forwards to Free's resolvers, which, when queried directly, yield the
same result]

The content of the cache is surprising (repetition of the CNAME):

% dig +cd A juralib.noblogs.org

; <<>> DiG 9.9.2-P2 <<>> +cd A juralib.noblogs.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64000
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 15, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;juralib.noblogs.org.	IN A

;; ANSWER SECTION:
juralib.noblogs.org.	6821 IN	CNAME www.l.autistici.org.
juralib.noblogs.org.	6821 IN	RRSIG CNAME 7 2 9600 (
				20150416184531 20150317184531 64367 noblogs.org.
				U9hh55qkKItfXSGa6O47Me4g0LRSWGvo70UnCJk05I2M
				1yMajDoSNWef4npQdNJ4uNW5LEO6RsnCbqCcmtvb9HQH
				OfV6Kjn5UHF+4cglYc1WutAI70hLPPdYpCwL904g3Yx1
				nc8IbuzI9K+FDoPj6Bo+sdfhdesJkdeWyqLaE6Q= )
juralib.noblogs.org.	6821 IN	CNAME www.l.autistici.org.
juralib.noblogs.org.	6821 IN	RRSIG CNAME 7 2 9600 (
				20150416184531 20150317184531 64367 noblogs.org.
				U9hh55qkKItfXSGa6O47Me4g0LRSWGvo70UnCJk05I2M
				1yMajDoSNWef4npQdNJ4uNW5LEO6RsnCbqCcmtvb9HQH
				OfV6Kjn5UHF+4cglYc1WutAI70hLPPdYpCwL904g3Yx1
				nc8IbuzI9K+FDoPj6Bo+sdfhdesJkdeWyqLaE6Q= )
juralib.noblogs.org.	6821 IN	CNAME www.l.autistici.org.
juralib.noblogs.org.	6821 IN	RRSIG CNAME 7 2 9600 (
				20150416184531 20150317184531 64367 noblogs.org.
				U9hh55qkKItfXSGa6O47Me4g0LRSWGvo70UnCJk05I2M
				1yMajDoSNWef4npQdNJ4uNW5LEO6RsnCbqCcmtvb9HQH
				OfV6Kjn5UHF+4cglYc1WutAI70hLPPdYpCwL904g3Yx1
				nc8IbuzI9K+FDoPj6Bo+sdfhdesJkdeWyqLaE6Q= )
juralib.noblogs.org.	6821 IN	CNAME www.l.autistici.org.
juralib.noblogs.org.	6821 IN	RRSIG CNAME 7 2 9600 (
				20150416184531 20150317184531 64367 noblogs.org.
				U9hh55qkKItfXSGa6O47Me4g0LRSWGvo70UnCJk05I2M
				1yMajDoSNWef4npQdNJ4uNW5LEO6RsnCbqCcmtvb9HQH
				OfV6Kjn5UHF+4cglYc1WutAI70hLPPdYpCwL904g3Yx1
				nc8IbuzI9K+FDoPj6Bo+sdfhdesJkdeWyqLaE6Q= )
juralib.noblogs.org.	6821 IN	CNAME www.l.autistici.org.
juralib.noblogs.org.	6821 IN	RRSIG CNAME 7 2 9600 (
				20150416184531 20150317184531 64367 noblogs.org.
				U9hh55qkKItfXSGa6O47Me4g0LRSWGvo70UnCJk05I2M
				1yMajDoSNWef4npQdNJ4uNW5LEO6RsnCbqCcmtvb9HQH
				OfV6Kjn5UHF+4cglYc1WutAI70hLPPdYpCwL904g3Yx1
				nc8IbuzI9K+FDoPj6Bo+sdfhdesJkdeWyqLaE6Q= )
juralib.noblogs.org.	6821 IN	CNAME www.l.autistici.org.
juralib.noblogs.org.	6821 IN	RRSIG CNAME 7 2 9600 (
				20150416184531 20150317184531 64367 noblogs.org.
				U9hh55qkKItfXSGa6O47Me4g0LRSWGvo70UnCJk05I2M
				1yMajDoSNWef4npQdNJ4uNW5LEO6RsnCbqCcmtvb9HQH
				OfV6Kjn5UHF+4cglYc1WutAI70hLPPdYpCwL904g3Yx1
				nc8IbuzI9K+FDoPj6Bo+sdfhdesJkdeWyqLaE6Q= )
www.l.autistici.org.	1800 IN	A 82.94.249.234
www.l.autistici.org.	1800 IN	A 94.23.50.208
www.l.autistici.org.	1800 IN	RRSIG A 7 4 30 (
				20150416184405 20150317184405 2207 l.autistici.org.
				XHGHuv+1oAfjU7ZpWtVKCdDQYPYV2ekj595yAX79wxGb
				QdYGt5iW/T72SerD/JwQg/HuO8DP3UNuB3ql0PXB2Z0m
				Q3fG16+SiVdII69zohb0Wkl0+CVBeqWtJn0bLgJfDmOL
				6VpJ9CKNmm+YCtZjJTxL4XN/3KBhH8FI9dUZaQ8= )

;; AUTHORITY SECTION:
l.autistici.org.	1800 IN	NS ns2.investici.org.
l.autistici.org.	1800 IN	NS ns3.investici.org.
l.autistici.org.	1800 IN	NS ns1-v6.investici.org.
l.autistici.org.	1800 IN	NS ns2-v6.investici.org.
l.autistici.org.	1800 IN	NS ns1.investici.org.
l.autistici.org.	1800 IN	RRSIG NS 7 3 30 (
				20150416184405 20150317184405 2207 l.autistici.org.
				OvAsgash4kUa++O2ZTlsXN5XLVQKxdsvZ+FSCJ0/ESp+
				sz+PoW0HnC+WRLEWvyToIj5yEyFlNoos5DnAIzlTwTxA
				v6Fi2T4jFPCH9fp8k2yTSpHFpd4CuiNJYWn9DMbUbvUC
				p3fP9xikV5Ifpt11Q9b7UQN1kIdPbMBtWq7fIi4= )

;; Query time: 826 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Tue Apr  7 21:33:30 2015
;; MSG SIZE  rcvd: 1662

You can see from other places, using various resolvers, that the
domain is DNSSEC-OK:

% dig @bind.odvr.dns-oarc.net A juralib.noblogs.org

; <<>> DiG 9.9.2-P2 <<>> @bind.odvr.dns-oarc.net A juralib.noblogs.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27336
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;juralib.noblogs.org.	IN A

;; ANSWER SECTION:
juralib.noblogs.org.	3057 IN	CNAME www.l.autistici.org.
juralib.noblogs.org.	3057 IN	RRSIG CNAME 7 2 9600 (
				20150416184531 20150317184531 64367 noblogs.org.
				U9hh55qkKItfXSGa6O47Me4g0LRSWGvo70UnCJk05I2M
				1yMajDoSNWef4npQdNJ4uNW5LEO6RsnCbqCcmtvb9HQH
				OfV6Kjn5UHF+4cglYc1WutAI70hLPPdYpCwL904g3Yx1
				nc8IbuzI9K+FDoPj6Bo+sdfhdesJkdeWyqLaE6Q= )
www.l.autistici.org.	30 IN A	82.94.249.234
www.l.autistici.org.	30 IN A	94.23.50.208
www.l.autistici.org.	30 IN RRSIG A 7 4 30 (
				20150416184532 20150317184532 2207 l.autistici.org.
				uYf76I5QXKL1AKo97gLlYNnltqKjKUuJkcEGQw/S3ci+
				9Ohw4RS8oAILa3IhTj2c8ThNSDXK/w0Ilvji0ehp0Lph
				eqF4mI4WON7gWHi5QXuRlsgC8678rEgWXL+GYJGfQ71j
				j9QgenSNbE6vn87gmC0VKkLtdVfm+4zDSvb+6nc= )

;; AUTHORITY SECTION:
M3DV8AQFFUR2FKJ8SBHUU5IFPT9CMHGH.noblogs.org. 3057 IN NSEC3 1 0 10 5CA1AB1E (
				TJV2IS5T6EGEBIH6OUAT3H49RETTJMBG
				
				A NS SOA AAAA RRSIG DNSKEY NSEC3PARAM )
M3DV8AQFFUR2FKJ8SBHUU5IFPT9CMHGH.noblogs.org. 3057 IN RRSIG NSEC3 7 3 3600 (
				20150416184531 20150317184531 64367 noblogs.org.
				MWHzDCOEg7tpWE1KZxbZnY8zTHObeiCYmpQvn5An/iPY
				kOiLeNlLbL1UbJq/gCb3tSOWekyZOJDmtfEqkKAeBWm+
				chkqAh/S3VkH3s+wfx2PIu5Q61Wv1SntEaoaWe2hz4RW
				Is6nq7TQID/xHu1zR+wXe9R5UPg13Hz7Vdzd8dc= )
l.autistici.org.	30 IN NS ns2-v6.investici.org.
l.autistici.org.	30 IN NS ns1.investici.org.
l.autistici.org.	30 IN NS ns3.investici.org.
l.autistici.org.	30 IN NS ns1-v6.investici.org.
l.autistici.org.	30 IN NS ns2.investici.org.
l.autistici.org.	30 IN RRSIG NS 7 3 30 (
				20150416184532 20150317184532 2207 l.autistici.org.
				fdpsLMEO4puI6qHGKVS9Yxra6hd5tyhttyBwlkdBvSTZ
				i0veu/pPIpaAzeHJA8oNtAHYDMXPpHpvnp4/XnYn3sFz
				83kSpT7zLScb1NOE43hJICEEwpMP5cKW73/7Mw/ojLwq
				z20br5Kjg7+Fe/6HaVNydWyaeWqUs7krHNu5mJA= )

;; ADDITIONAL SECTION:
ns1.investici.org.	85856 IN A 82.94.249.234
ns2.investici.org.	85856 IN A 46.4.106.116
ns3.investici.org.	85856 IN A 178.255.144.35
ns1-v6.investici.org.	85856 IN AAAA 2001:888:2000:56::19
ns2-v6.investici.org.	85856 IN AAAA 2a01:4f8:141:2f0::19

;; Query time: 494 msec
;; SERVER: 2001:4f8:3:2bc:1:0:64:20#53(2001:4f8:3:2bc:1:0:64:20)
;; WHEN: Tue Apr  7 21:34:26 2015
;; MSG SIZE  rcvd: 1096


DNSviz or other testing tools see no problem (the domain uses
wildcards and CNAME but, apparently, in a correct way).

I suspect that the resolvers at Free have been corrupted in some way
(the CNAME duplication) but I wonder what would cause that?

More information about the dns-operations mailing list