[dns-operations] Assistance Request: OpenDNS Not Resolving Certain .realtor™ Domains

Robert Kisteleki robert at ripe.net
Wed Dec 3 08:51:18 UTC 2025 

Hi, to show the extent of the problem in RIPE Atlas:

$ cat 141962937.txt | goat result -output dnsstat -opt type:A | head
21026   "[100.24.208.97 35.172.94.1]"
2064    "SERVFAIL"
1368    "TIMEOUT"
89      "REFUSED"
45      "[100.24.208.97 205.251.192.154 205.251.194.208 205.251.197.238
205.251.199.47 35.172.94.1]"
30      "FORMERR"
23      "[0.0.0.0]"
9       "[100.24.208.97 205.251.194.208 205.251.197.238 205.251.199.47
35.172.94.1]"
8       "[35.172.94.1]"
7       "[100.24.208.97 205.251.192.154 205.251.194.208 205.251.197.238
35.172.94.1]"

https://atlas.ripe.net/measurements/141962937/ (the viz is quite heavy on a
browser, but all the data is there if you want to dig deep)

Cheers,
Robert



On Wed, Dec 3, 2025 at 2:02 AM Viktor Dukhovni <ietf-dane at dukhovni.org>
wrote:

> On Mon, Dec 01, 2025 at 05:42:23PM +0000, Matthew Embrescia via
> dns-operations wrote:
>
> > Over the past week, we’ve received multiple reports from customers
> > indicating that some .realtor domains (for example, hlaor.realtor)
> > are failing to resolve through OpenDNS, while resolving normally
> > across most other major recursive resolvers, including Google Public
> > DNS, Cloudflare, and Quad9.
>
> Indeed some of the recursive servers are responding with SERVFAIL and an
> EDE suggesting a DNSSEC issue:
>
> - LAX:
>
>     $ for ns in 208.67.22{0,2}.2 2620:0:cc{c,d}::2; do dig +nsid @${ns}
> hlaor.realtor; done | grep -E 'opcode:|EDE|NSID'
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59550
>     ; EDE: 6 (DNSSEC Bogus)
>     ; NSID: 72 33 30 30 38 2e 6c 61 78 ("r3008.lax")
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20672
>     ; EDE: 6 (DNSSEC Bogus)
>     ; NSID: 76 72 31 2e 6c 61 78 ("vr1.lax")
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7531
>     ; EDE: 6 (DNSSEC Bogus)
>     ; NSID: 72 33 30 31 31 2e 6c 61 78 ("r3011.lax")
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21870
>     ; EDE: 6 (DNSSEC Bogus)
>     ; NSID: 72 33 30 30 38 2e 6c 61 78 ("r3008.lax")
>
> - MEL:
>
>     $ for ns in 208.67.22{0,2}.2 2620:0:cc{c,d}::2; do dig +nsid @${ns}
> hlaor.realtor; done | grep -E 'opcode:|EDE|NSID'
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35571
>     ; EDE: 6 (DNSSEC Bogus)
>     ; NSID: 72 34 30 30 32 2e 6d 65 6c 31 ("r4002.mel1")
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53654
>     ; EDE: 6 (DNSSEC Bogus)
>     ; NSID: 72 34 30 30 34 2e 6d 65 6c 31 ("r4004.mel1")
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11898
>     ; EDE: 6 (DNSSEC Bogus)
>     ; NSID: 72 34 30 30 34 2e 6d 65 6c 31 ("r4004.mel1")
>     ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5349
>     ; EDE: 6 (DNSSEC Bogus)
>     ; NSID: 72 34 30 30 32 2e 6d 65 6c 31 ("r4002.mel1")
>
> And ditto for DNSViz for via the same OpenDNS recursive servers:
>
>     https://dnsviz.net/d/hlaor.realtor/e/3525266/dnssec/
>
> but with the additional detail that the "CD" flag yields success, which
> I can also confirm:
>
>     $ for ns in 208.67.22{0,2}.2 2620:0:cc{c,d}::2; do dig +nsid +cd
> @${ns} hlaor.realtor; done | grep -E 'opcode:|EDE|NSID|^[^;]'
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33629
>     ; NSID: 72 33 30 31 30 2e 6c 61 78 ("r3010.lax")
>     hlaor.realtor.          3600    IN      A       100.24.208.97
>     hlaor.realtor.          3600    IN      A       35.172.94.1
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14743
>     ; NSID: 72 33 30 30 36 2e 6c 61 78 ("r3006.lax")
>     hlaor.realtor.          3600    IN      A       100.24.208.97
>     hlaor.realtor.          3600    IN      A       35.172.94.1
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49680
>     ; NSID: 72 34 30 30 35 2e 6c 61 78 ("r4005.lax")
>     hlaor.realtor.          3600    IN      A       35.172.94.1
>     hlaor.realtor.          3600    IN      A       100.24.208.97
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14934
>     ; NSID: 72 33 30 30 32 2e 6c 61 78 ("r3002.lax")
>     hlaor.realtor.          3600    IN      A       100.24.208.97
>     hlaor.realtor.          3600    IN      A       35.172.94.1
>
> So most likely for some reason the OpenDNS servers don't like the DS
> non-existence proof from the .realtor authoritative servers.  Which is
> odd, because the DNSKEY and DS records of .realtor haven't changed since
> late July 2021.
>
> If Brian Somers is reading this list and still at Cisco OpenDNS, he
> should have a better insight into the nature of the problem.
>
> --
>     Viktor.  🇺🇦 Слава Україні!
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20251203/5fe15dcd/attachment-0003.html>

More information about the dns-operations mailing list