[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue May 26 11:00:58 UTC 2020
On Thu, Apr 23, 2020 at 08:46:02AM -0400, Shumon Huque wrote:
> > Great, thanks. Not yet resolved FWIW:
> >
> > http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/cloudflare.com.html
>
> I didn't see the reason for the SERVFAIL in the dnsviz output. So I ran
> my own debugging tool on these domains. All the CF servers for the zone
> are unresponsive to DNS queries for the TLSA record at those names. I
> assume that's why we get SERVFAIL. They respond to other queries fine
> such as apex SOA, A, etc):
I've rescanned the three domains, still broken (same URL, updated
content), and yes silence.
@alla.ns.cloudflare.com.[173.245.58.62]
; <<>> DiG 9.16.2 <<>> +noidnout +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mx01.mx-hosting.ch @173.245.58.62
;; connection timed out; no servers could be reached
@guss.ns.cloudflare.com.[173.245.59.172]
; <<>> DiG 9.16.2 <<>> +noidnout +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mx01.mx-hosting.ch @173.245.59.172
;; connection timed out; no servers could be reached
Unclear why the TLSA queries are dropped, and by whom (is Cloudflare
just proxying breakage at the customer's DNS?)
--
Viktor.
More information about the dns-operations
mailing list