[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail

Shumon Huque shuque at gmail.com
Thu Apr 23 12:46:02 UTC 2020


On Thu, Apr 23, 2020 at 2:25 AM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> On Mon, Apr 20, 2020 at 11:55:38AM +0100, Christian Elmerot wrote:
>
> > On 2020-04-19 07:55, Viktor Dukhovni wrote:
> > > The CloudFlare auth servers return ServFail for the TLSA lookup of:
> > >
> > >      https://dnsviz.net/d/_25._tcp.mx01.mx-hosting.ch/XpvvXg/dnssec/
> > >      https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/Xpvvcg/dnssec/
> > >      https://dnsviz.net/d/_25._tcp.box.nobodyghost.net/Xpvvow/dnssec/
> >
> > Those ServFails are being looked into as that is something different and
> > a bug I believe. I'll get back with more information when the issue's
> > been identified in our pipeline.
>
> Great, thanks.  Not yet resolved FWIW:
>
>     http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/cloudflare.com.html


I didn't see the reason for the SERVFAIL in the dnsviz output. So I ran
my own debugging tool on these domains. All the CF servers for the zone
are unresponsive to DNS queries for the TLSA record at those names. I
assume that's why we get SERVFAIL. They respond to other queries fine
such as apex SOA, A, etc):

Abbreviated transcript from the first:

[...]
# QUERY: _25._tcp.mail.markleenen.eu. TLSA IN at zone eu. address
194.146.106.90
#        [SECURE Referral to zone: markleenen.eu. in 0.080 s]
ZONE: markleenen.eu.
NS: darl.ns.cloudflare.com. 173.245.59.98 2606:4700:58::adf5:3b62
NS: tegan.ns.cloudflare.com. 173.245.58.226 2606:4700:50::adf5:3ae2
DS: 2371 13 2
23de654eeaae6a7acf8192d2604cdaad5b0ae6abc4dc6456e89559fb5d7a19f0
DNSKEY: markleenen.eu. 257 2371 ECDSA-P256 (13) 512-bits
DNSKEY: markleenen.eu. 256 34505 ECDSA-P256 (13) 512-bits

# QUERY: _25._tcp.mail.markleenen.eu. TLSA IN at zone markleenen.eu.
address 173.245.59.98
WARN: UDP query timeout for 173.245.59.98
WARN: UDP query timeout for 173.245.59.98

# QUERY: _25._tcp.mail.markleenen.eu. TLSA IN at zone markleenen.eu.
address 2606:4700:58::adf5:3b62
WARN: UDP query timeout for 2606:4700:58::adf5:3b62
WARN: UDP query timeout for 2606:4700:58::adf5:3b62

# QUERY: _25._tcp.mail.markleenen.eu. TLSA IN at zone markleenen.eu.
address 173.245.58.226
WARN: UDP query timeout for 173.245.58.226
WARN: UDP query timeout for 173.245.58.226

# QUERY: _25._tcp.mail.markleenen.eu. TLSA IN at zone markleenen.eu.
address 2606:4700:50::adf5:3ae2
WARN: UDP query timeout for 2606:4700:50::adf5:3ae2
WARN: UDP query timeout for 2606:4700:50::adf5:3ae2

Queries to all servers for zone markleenen.eu. failed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200423/ab390aa3/attachment-0001.html>


More information about the dns-operations mailing list