<div dir="ltr"><div dir="ltr">On Thu, Apr 23, 2020 at 2:25 AM Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org">ietf-dane@dukhovni.org</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Apr 20, 2020 at 11:55:38AM +0100, Christian Elmerot wrote:<br>
<br>
> On 2020-04-19 07:55, Viktor Dukhovni wrote:<br>
> > The CloudFlare auth servers return ServFail for the TLSA lookup of:<br>
> ><br>
> > <a href="https://dnsviz.net/d/_25._tcp.mx01.mx-hosting.ch/XpvvXg/dnssec/" rel="noreferrer" target="_blank">https://dnsviz.net/d/_25._tcp.mx01.mx-hosting.ch/XpvvXg/dnssec/</a><br>
> > <a href="https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/Xpvvcg/dnssec/" rel="noreferrer" target="_blank">https://dnsviz.net/d/_25._tcp.mail.markleenen.eu/Xpvvcg/dnssec/</a><br>
> > <a href="https://dnsviz.net/d/_25._tcp.box.nobodyghost.net/Xpvvow/dnssec/" rel="noreferrer" target="_blank">https://dnsviz.net/d/_25._tcp.box.nobodyghost.net/Xpvvow/dnssec/</a><br>
><br>
> Those ServFails are being looked into as that is something different and <br>
> a bug I believe. I'll get back with more information when the issue's <br>
> been identified in our pipeline.<br>
<br>
Great, thanks. Not yet resolved FWIW:<br>
<br>
<a href="http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/cloudflare.com.html" rel="noreferrer" target="_blank">http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/cloudflare.com.html</a></blockquote><div><br></div><div>I didn't see the reason for the SERVFAIL in the dnsviz output. So I ran</div><div>my own debugging tool on these domains. All the CF servers for the zone</div><div>are unresponsive to DNS queries for the TLSA record at those names. I</div><div>assume that's why we get SERVFAIL. They respond to other queries fine </div><div>such as apex SOA, A, etc):</div><div><br></div><div>Abbreviated transcript from the first:</div><div><br></div><div>[...]</div># QUERY: _25._<a href="http://tcp.mail.markleenen.eu">tcp.mail.markleenen.eu</a>. TLSA IN at zone eu. address 194.146.106.90<br># [SECURE Referral to zone: <a href="http://markleenen.eu">markleenen.eu</a>. in 0.080 s]<br>ZONE: <a href="http://markleenen.eu">markleenen.eu</a>.<br>NS: <a href="http://darl.ns.cloudflare.com">darl.ns.cloudflare.com</a>. 173.245.59.98 2606:4700:58::adf5:3b62<br>NS: <a href="http://tegan.ns.cloudflare.com">tegan.ns.cloudflare.com</a>. 173.245.58.226 2606:4700:50::adf5:3ae2<br>DS: 2371 13 2 23de654eeaae6a7acf8192d2604cdaad5b0ae6abc4dc6456e89559fb5d7a19f0<br>DNSKEY: <a href="http://markleenen.eu">markleenen.eu</a>. 257 2371 ECDSA-P256 (13) 512-bits<br>DNSKEY: <a href="http://markleenen.eu">markleenen.eu</a>. 256 34505 ECDSA-P256 (13) 512-bits<br><br># QUERY: _25._<a href="http://tcp.mail.markleenen.eu">tcp.mail.markleenen.eu</a>. TLSA IN at zone <a href="http://markleenen.eu">markleenen.eu</a>. address 173.245.59.98<br>WARN: UDP query timeout for 173.245.59.98<br>WARN: UDP query timeout for 173.245.59.98<br><br># QUERY: _25._<a href="http://tcp.mail.markleenen.eu">tcp.mail.markleenen.eu</a>. TLSA IN at zone <a href="http://markleenen.eu">markleenen.eu</a>. address 2606:4700:58::adf5:3b62<br>WARN: UDP query timeout for 2606:4700:58::adf5:3b62<br>WARN: UDP query timeout for 2606:4700:58::adf5:3b62<br><br># QUERY: _25._<a href="http://tcp.mail.markleenen.eu">tcp.mail.markleenen.eu</a>. TLSA IN at zone <a href="http://markleenen.eu">markleenen.eu</a>. address 173.245.58.226<br>WARN: UDP query timeout for 173.245.58.226<br>WARN: UDP query timeout for 173.245.58.226<br><br># QUERY: _25._<a href="http://tcp.mail.markleenen.eu">tcp.mail.markleenen.eu</a>. TLSA IN at zone <a href="http://markleenen.eu">markleenen.eu</a>. address 2606:4700:50::adf5:3ae2<br>WARN: UDP query timeout for 2606:4700:50::adf5:3ae2<br>WARN: UDP query timeout for 2606:4700:50::adf5:3ae2</div><div class="gmail_quote"><br><div>Queries to all servers for zone <a href="http://markleenen.eu">markleenen.eu</a>. failed.</div><div><br></div></div></div>