login.authorize.net has A and CNAME records

Mark Andrews marka at isc.org
Tue Apr 6 21:48:37 UTC 2021



> On 7 Apr 2021, at 05:59, Arne Jensen <darkdevil at darkdevil.dk> wrote:
> 
> 
> Den 06-04-2021 kl. 21:47 skrev Seth Mattinen:
>> 
>>> 
>>> What kind of local problem or network problems could cause a servfail
>>> response from the authoritative ns?
>> 
>> 
>> 
>> I'm beginning to think this is a DNSSEC related problem, I'll ask on
>> the pdns-users list. I see it's asking for a DS record on
>> login.authorize.net.cdn.cloudflare.net when the nearest one appears to
>> be at cloudflare.net, so for some reason that's not being applied all
>> the way down.
> 
> I do somehow take that "local problem" part back again, which also
> wasn't intended exactly in the way that it was written:
> 
> ->
> https://dnssec-analyzer.verisignlabs.com/login.authorize.net.cdn.cloudflare.net
> 
> Is looking at login.authorize.net.cdn.cloudflare.net/DNSKEY, but failing
> due to the SERVFAIL.
> 
> -> https://dnsviz.net/d/login.authorize.net.cdn.cloudflare.net/dnssec/
> 
> Seems to claim that it works just fine.
> 
> Asking login.authorize.net.cdn.cloudflare.net/DNSKEY or
> login.authorize.net.cdn.cloudflare.net/DS returns SERVFAIL here too.
> 
> 
> But I don't think you should be querying /DNSKEY or /DS, except a the
> (current) delegation's root, e.g. as you say yourself, at
> "cloudflare.net" in this case.

It shouldn’t matter if you query for them.  If the records don’t exist then
you should get back NOERROR/NODATA responses with NSEC/NSEC3 records to prove
those responses.

Note the server claims that TXT records exist at login.authorize.net.cdn.cloudflare.net
but can’t return them. 


% dig login.authorize.net.cdn.cloudflare.net type65 @198.41.222.31 +dnssec

; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net type65 @198.41.222.31 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1641
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.cdn.cloudflare.net.	IN TYPE65

;; AUTHORITY SECTION:
cloudflare.net.		5	IN	SOA	ns1.cloudflare.net. dns.cloudflare.com. 1617743605 10000 2400 604800 5
login.authorize.net.cdn.cloudflare.net.	5 IN NSEC \000.login.authorize.net.cdn.cloudflare.net. A HINFO MX TXT AAAA LOC SRV NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 SPF URI CAA
cloudflare.net.		5	IN	RRSIG	SOA 13 2 5 20210407221325 20210405201325 34505 cloudflare.net. BfBNcB9zG3T6d7mu5okde144g0OlxBazynPBD78o/ig5y0JHWo+L2ufu mhSfOquAkq6lqa/V+3yySMERlQKcIQ==
login.authorize.net.cdn.cloudflare.net.	5 IN RRSIG NSEC 13 6 5 20210407221325 20210405201325 34505 cloudflare.net. +shgKZcdkQZvH9ZFEZvdXyHe7+FkX1mCit9xe4V7A+uEEYi3L7vnf16x Wyvzs0o4TlQiOJlYBG4vEkKE3d8NwQ==

;; Query time: 17 msec
;; SERVER: 198.41.222.31#53(198.41.222.31)
;; WHEN: Wed Apr 07 07:13:25 AEST 2021
;; MSG SIZE  rcvd: 417

% 

% dig login.authorize.net.cdn.cloudflare.net txt @198.41.222.31 +dnssec

; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net txt @198.41.222.31 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46557
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.cdn.cloudflare.net.	IN TXT

;; Query time: 15 msec
;; SERVER: 198.41.222.31#53(198.41.222.31)
;; WHEN: Wed Apr 07 07:14:22 AEST 2021
;; MSG SIZE  rcvd: 67

%

> Or if "cdn.cloudflare.net" had been a sub-delegation, then at that point...
> 
> -- 
> Med venlig hilsen / Kind regards,
> Arne Jensen
> 
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the NANOG mailing list