[dns-operations] EDNS weirdness with certs.godaddy.com?

Michael Smitasin mnsmitasin at lbl.gov
Wed Apr 29 23:27:51 UTC 2015 

A few weeks ago we got reports of users unable to visit the
certs.godaddy.com site, which had previously worked. Digging into it, it
looks to be a DNS problem. We run our own name servers (BIND) so I do
have access to configurations, though to the best of my knowledge, no
config changes were made on our end. Running it through dnsviz.net also
reports a problem:

> secureserver.net. to where.secureserver.net.: The server(s) responded
> with a malformed response or with an invalid RCODE. (208.109.80.40,
> 208.109.132.40)secureserver.net. to where.secureserver.net.: The
> server(s) were not responsive to queries over TCP. (208.109.80.40,
> 208.109.132.40)
> certs.gd.where.secureserver.net./A: The response had an invalid RCODE
> (FORMERR) until EDNS was disabled. (208.109.132.40)
> certs.gd.where.secureserver.net./A: The response had an invalid RCODE
> (FORMERR) until EDNS was disabled. (208.109.80.40)

Taking packet captures on our name servers while querying themselves
(dig @127.0.0.1 certs.godaddy.com) will sometimes show a response from
the GoDaddy name server, but our name servers don't seem to register it,
they'll keep asking for NS records until the dig query times out. Other
times it'll return a Form-Err. I seem to be able to reproduce the
Form-Err reliably by doing a dig +trace, or querying the authoritative
name server for the target of the certs.godaddy.com CNAME
(certs.gd.where.secureserver.net):

dig @gns1.secureserver.net certs.gd.where.secureserver.net +edns=0

(That query succeeds if you use +noedns instead)

Interestingly, we have 2 name servers, plus my own personal name
servers, which do not have this issue. As mentioned in the DNSviz
errors, the difference seems to be EDNS. I took a peek at some of the
packet captures, and this appears to be the only significant difference:

> <root>: type OPT
>     Name: <Root>
>     Type: OPT (41)
>     UDP payload size: 4096
>     Higher bits in extended RCODE: 0x00
>     ENDS0 version: 0
>     Z: 0x8000
>             1... .... .... .... = DO bit: Accepts DNSSEC security RRs
>             .000 0000 0000 0000 = Reserved: 0x0000
>     Data length: 0

Also interestingly, queries of the parent domain, secureserver.net, work
fine, though they have a completely different set of authoritative name
servers.

Anyone else run into this or have ideas what it could be? Does GoDaddy
have a firewall that's mangling EDNS queries?

Thanks,

-- 
Michael Smitasin
Network Engineer
LBLnet Services Group
Lawrence Berkeley National Laboratory

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150429/1458f6cb/attachment.sig>

More information about the dns-operations mailing list