[dns-operations] At least 3 CloudFlare DNS-hosted domains with oddball TLSA lookup ServFail

Christian Elmerot christian at elmerot.se
Wed May 27 16:34:13 UTC 2020


On 26/05/2020 12:00, Viktor Dukhovni wrote:
> On Thu, Apr 23, 2020 at 08:46:02AM -0400, Shumon Huque wrote:
>
>>> Great, thanks.  Not yet resolved FWIW:
>>>
>>>      http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/cloudflare.com.html
>> I didn't see the reason for the SERVFAIL in the dnsviz output. So I ran
>> my own debugging tool on these domains. All the CF servers for the zone
>> are unresponsive to DNS queries for the TLSA record at those names. I
>> assume that's why we get SERVFAIL. They respond to other queries fine
>> such as apex SOA, A, etc):
> I've rescanned the three domains, still broken (same URL, updated
> content), and yes silence.
>
>      @alla.ns.cloudflare.com.[173.245.58.62]
>      ; <<>> DiG 9.16.2 <<>> +noidnout +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mx01.mx-hosting.ch @173.245.58.62
>      ;; connection timed out; no servers could be reached
>
>      @guss.ns.cloudflare.com.[173.245.59.172]
>      ; <<>> DiG 9.16.2 <<>> +noidnout +nosearch +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mx01.mx-hosting.ch @173.245.59.172
>      ;; connection timed out; no servers could be reached
>
> Unclear why the TLSA queries are dropped, and by whom (is Cloudflare
> just proxying breakage at the customer's DNS?)

I've looked into the error on our side and the reason for those 
SERVFAILs are due to malformed record content. This is likely due to an 
older version of our API not performing the correct validations for TLSA 
records and it is unfortunate the zone owners never checked the output.

Christian Elmerot, Cloudflare



More information about the dns-operations mailing list