[dns-operations] A strange DNS problem (intermittent SERVFAILs)
dagon at sudo.sh
Sat May 30 18:50:53 UTC 2020
On Sat, May 30, 2020 at 06:09:24PM +0200, Stephane Bortzmeyer wrote:
> The existing DNS configuration is clearly very questionable, such as a
> zone delegated to just one name server, and a broken one, replying
> REFUSED for NS and SOA queries.
> The question is "how did this incorrect setup can produce *sometimes*
> a resolution failure?"
1) I speculate some cloud resolvers like Cloudflare enforce 1035's
requirement that a valid zone ('master file') contain at least an
SOA and NS, and therefore fail lookups in the zone. This is a
2) And as you know qname minimization (strict or flexible) should
work here. But perhaps Cloudflare has another 7816-like policy
that fails this zone? This is also a complete guess.
In writing intentionally bad DNS authorities, I've found the
cloud DNS providers have batteries of checks (e.g., for ECS
support, for child NS, for SOA, etc.). Some like OpenDNS even
probe each label level of lenghty qnames for zone cuts.
The cloud providers promise safety improvements, so perhaps the
missing SOA causes a fail, or they implemented 7816 differently.
3) Perhaps an appliance is not passing SOA queries? Even if cloud
providers don't enforce the 1035 'minimal master file'
requirements, the bank's authority should. How can you even load
such a zone in a modern authority server? All modern auth
servers would fail, I believe.
Most malware domains do a better job of provisioning and
configuration. Can this bank be helped?
dagon at sudo.sh
D970 6D9E E500 E877 B1E3 D3F8 5937 48DC 0FDC E717
More information about the dns-operations