[dns-operations] A strange DNS problem (intermittent SERVFAILs)
Guillaume LUCAS
glucas+dnsoarc at glucas.fr
Tue Jun 2 21:39:38 UTC 2020
Hello,
I just subscribed to this list, so sorry for the thread breaking.
> Several users on Twitter reported problems accessing Banque
> Populaire (a French bank)
Since 1 pm (UTC+2) this day (June 2nd), it works from CloudFlare, FDN,…
everywhere. Customers confirm that on Twitter [*]. But
nsisp1.i-bp.banquepopulaire.fr. still returns REFUSED for NS/SOA and
over-TCP queries for www.banquepopulaire.fr or
www.ibps.bpaca.banquepopulaire.fr. So, I don't understand what the root
cause of the problem was…
www.caisse-epargne.fr, a french bank of the same banking group as Banque
Populaire, had a similar problem in the same period of time: the two
name servers for this DNS zone, nslp1.gcetech.net and nslp2.gcetech.net,
returned NODATA for NS/SOA queries (but they answered to over-TCP
queries). Unbound 1.9 could resolve this name, Unbound 1.6 couldn't.
Technical details (in french): <http://shaarli.guiguishow.info/?TqC4Ug>.
Like Banque Populaire, name resolution works since 1 pm (UTC+2) today.
nslp(1|2).gcetech.net still returns NODATA… So, again, I don't
understand what the root cause was…
@Matthew: you said « bcpe.fr is delegated to the same servers which do
not answer NS queries ». It's wrong. bpce.fr have always been delegated
to dns(1|2).bpce.fr . These servers have always answered to NS/SOA and
TCP queries. Name servers for banquepopulaire / bpce.fr / groupebpce.com
= dns(1|2).bpce.fr, name servers for www.banquepopulaire.fr /
www.ibps.*.banquepopulaire.fr / www.*.banquepopulaire.fr =
nsisp1.i-bp.banquepopulaire.fr. On last Saturday, I was able to
reproduce your result for "dig @1.1.1.1 banquepopulaire.fr ns":
CloudFlare always aswered SERVFAIL (or didn't answer). CloudFlare was
the only resolver in this case. So, like you observed, it's normal that
CloudFlare stop the resolution at this point, but what about the other
resolvers?
Good night everybody.
[*] Except two people
(<https://twitter.com/The_Angus_Old/status/1267881092478111745>). But I
don't fully trust them, because of previous exchanges and because I'm
living in the same state (yes, it's regional banks under the same banner).
More information about the dns-operations
mailing list