login.authorize.net has A and CNAME records

Justin Paine justin at cloudflare.com
Tue Apr 6 23:31:59 UTC 2021


For the thread -- we're aware and looking into this.  noc at cloudflare.com
being the best place to report these kinds of things.

<https://www.cloudflare.com/>

__________________
*Justin Paine*
He/Him/His
Head of Trust & Safety
101 Townsend St, San Francisco, CA 94107 <https://www.cloudflare.com/>

*PGP:* BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
<https://keys.openpgp.org/vks/v1/by-fingerprint/BBAA6BCE33057FD66452711557B60114DE0B314D>


On Tue, Apr 6, 2021 at 2:49 PM Mark Andrews <marka at isc.org> wrote:

>
>
> > On 7 Apr 2021, at 05:59, Arne Jensen <darkdevil at darkdevil.dk> wrote:
> >
> >
> > Den 06-04-2021 kl. 21:47 skrev Seth Mattinen:
> >>
> >>>
> >>> What kind of local problem or network problems could cause a servfail
> >>> response from the authoritative ns?
> >>
> >>
> >>
> >> I'm beginning to think this is a DNSSEC related problem, I'll ask on
> >> the pdns-users list. I see it's asking for a DS record on
> >> login.authorize.net.cdn.cloudflare.net when the nearest one appears to
> >> be at cloudflare.net, so for some reason that's not being applied all
> >> the way down.
> >
> > I do somehow take that "local problem" part back again, which also
> > wasn't intended exactly in the way that it was written:
> >
> > ->
> >
> https://dnssec-analyzer.verisignlabs.com/login.authorize.net.cdn.cloudflare.net
> >
> > Is looking at login.authorize.net.cdn.cloudflare.net/DNSKEY, but failing
> > due to the SERVFAIL.
> >
> > -> https://dnsviz.net/d/login.authorize.net.cdn.cloudflare.net/dnssec/
> >
> > Seems to claim that it works just fine.
> >
> > Asking login.authorize.net.cdn.cloudflare.net/DNSKEY or
> > login.authorize.net.cdn.cloudflare.net/DS returns SERVFAIL here too.
> >
> >
> > But I don't think you should be querying /DNSKEY or /DS, except a the
> > (current) delegation's root, e.g. as you say yourself, at
> > "cloudflare.net" in this case.
>
> It shouldn’t matter if you query for them.  If the records don’t exist then
> you should get back NOERROR/NODATA responses with NSEC/NSEC3 records to
> prove
> those responses.
>
> Note the server claims that TXT records exist at
> login.authorize.net.cdn.cloudflare.net
> but can’t return them.
>
>
> % dig login.authorize.net.cdn.cloudflare.net type65 @198.41.222.31 +dnssec
>
> ; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net type65 @
> 198.41.222.31 +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1641
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ;; QUESTION SECTION:
> ;login.authorize.net.cdn.cloudflare.net.        IN TYPE65
>
> ;; AUTHORITY SECTION:
> cloudflare.net.         5       IN      SOA     ns1.cloudflare.net.
> dns.cloudflare.com. 1617743605 10000 2400 604800 5
> login.authorize.net.cdn.cloudflare.net. 5 IN NSEC \
> 000.login.authorize.net.cdn.cloudflare.net. A HINFO MX TXT AAAA LOC SRV
> NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 SPF URI CAA
> cloudflare.net.         5       IN      RRSIG   SOA 13 2 5 20210407221325
> 20210405201325 34505 cloudflare.net.
> BfBNcB9zG3T6d7mu5okde144g0OlxBazynPBD78o/ig5y0JHWo+L2ufu
> mhSfOquAkq6lqa/V+3yySMERlQKcIQ==
> login.authorize.net.cdn.cloudflare.net. 5 IN RRSIG NSEC 13 6 5
> 20210407221325 20210405201325 34505 cloudflare.net.
> +shgKZcdkQZvH9ZFEZvdXyHe7+FkX1mCit9xe4V7A+uEEYi3L7vnf16x
> Wyvzs0o4TlQiOJlYBG4vEkKE3d8NwQ==
>
> ;; Query time: 17 msec
> ;; SERVER: 198.41.222.31#53(198.41.222.31)
> ;; WHEN: Wed Apr 07 07:13:25 AEST 2021
> ;; MSG SIZE  rcvd: 417
>
> %
>
> % dig login.authorize.net.cdn.cloudflare.net txt @198.41.222.31 +dnssec
>
> ; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net txt @
> 198.41.222.31 +dnssec
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46557
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1232
> ;; QUESTION SECTION:
> ;login.authorize.net.cdn.cloudflare.net.        IN TXT
>
> ;; Query time: 15 msec
> ;; SERVER: 198.41.222.31#53(198.41.222.31)
> ;; WHEN: Wed Apr 07 07:14:22 AEST 2021
> ;; MSG SIZE  rcvd: 67
>
> %
>
> > Or if "cdn.cloudflare.net" had been a sub-delegation, then at that
> point...
> >
> > --
> > Med venlig hilsen / Kind regards,
> > Arne Jensen
> >
> >
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210406/501fc90e/attachment.html>


More information about the NANOG mailing list