[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail

Viktor Dukhovni ietf-dane at dukhovni.org
Tue May 26 11:00:58 UTC 2020


On Thu, Apr 23, 2020 at 08:46:02AM -0400, Shumon Huque wrote:

> > Great, thanks.  Not yet resolved FWIW:
> >
> >     http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/cloudflare.com.html
> 
> I didn't see the reason for the SERVFAIL in the dnsviz output. So I ran
> my own debugging tool on these domains. All the CF servers for the zone
> are unresponsive to DNS queries for the TLSA record at those names. I
> assume that's why we get SERVFAIL. They respond to other queries fine
> such as apex SOA, A, etc):

I've rescanned the three domains, still broken (same URL, updated
content), and yes silence.

    @alla.ns.cloudflare.com.[173.245.58.62]
    ; <<>> DiG 9.16.2 <<>> +noidnout +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mx01.mx-hosting.ch @173.245.58.62
    ;; connection timed out; no servers could be reached

    @guss.ns.cloudflare.com.[173.245.59.172]
    ; <<>> DiG 9.16.2 <<>> +noidnout +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mx01.mx-hosting.ch @173.245.59.172
    ;; connection timed out; no servers could be reached

Unclear why the TLSA queries are dropped, and by whom (is Cloudflare
just proxying breakage at the customer's DNS?)

-- 
    Viktor.


More information about the dns-operations mailing list