[dns-operations] console.aws.amazon.com - breakage & confusing output from DNSViz?
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Feb 7 18:50:19 UTC 2022
On Mon, Feb 07, 2022 at 06:27:37PM +0000, Matthew Richardson wrote:
> but Bind & Unbound returned SERVFAIL and Knot Resolver returned NXDOMAIN.
>
> https://dnsviz.net/d/console.aws.amazon.com/YgEn7g/dnssec/
>
> suggests a DNSSEC issue showing some things being BOGUS. However (unless I
> am missing something obvious), there is no DNSSEC involved!
The more likely source of trouble can be seen by clickin on the "Errors"
button:
aws.amazon.com zone: The server(s) did not respond authoritatively for the namespace. (34.196.62.143, 52.9.140.222, 52.9.146.37, 52.16.221.207, 52.19.138.45, 52.86.96.73)
aws.amazon.com/CNAME: The Authoritative Answer (AA) flag was not set in the response. (34.196.62.143, 52.9.140.222, 52.9.146.37, 52.16.221.207, 52.19.138.45, 52.86.96.73, UDP_-_EDNS0_4096_D_KN, UDP_-_EDNS0_512_D_KN)
console.aws.amazon.com zone: The server(s) did not respond authoritatively for the namespace. (34.196.62.143, 52.9.140.222, 52.9.146.37, 52.16.221.207, 52.19.138.45, 52.86.96.73)
us-east-1.console.aws.amazon.com zone: The server(s) did not respond authoritatively for the namespace. (34.196.62.143, 52.9.140.222, 52.9.146.37, 52.16.221.207, 52.19.138.45, 52.86.96.73)
> Can anyone more knowledgeable shed any light on what might be going wrong
> here? I wonder whether this is relevant:-
I doubt I'm especially more knowledgeable, but perhaps at times more
observant of small details...
> >; <<>> DiG 9.11.29 <<>> @ns-912.amazon.com +norec -t ns aws.amazon.com
> >; (1 server found)
> >;; global options: +cmd
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34133
> >;; flags: qr; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
note the lack of the "aa" flag, expected from an authoritative server.
> >;; ANSWER SECTION:
> >aws.amazon.com. 600 IN NS ns-912.amazon.com.
> >aws.amazon.com. 60 IN CNAME tp.8e49140c2-frontier.amazon.com.
As for NXDOMAIN, that was perhaps the status of the target of the alias
at some point. The CNAME target may have changed since, or a previous
NXDOMAIN may have expired from caches, ...
--
VIktor.
More information about the dns-operations
mailing list