<div dir="ltr">For the thread -- we're aware and looking into this. <a href="mailto:noc@cloudflare.com">noc@cloudflare.com</a> being the best place to report these kinds of things.<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><p style="font-family:Helvetica;font-size:12px;color:rgb(64,64,64)"><a href="https://www.cloudflare.com/" style="font-family:Times;font-size:medium;font-style:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank"></a></p><p style="font-family:Helvetica;font-size:12px;color:rgb(64,64,64)">__________________<br><b>Justin Paine</b><br>He/Him/His<br>Head of Trust & Safety<br>101 Townsend St, San Francisco, CA 94107<a href="https://www.cloudflare.com/" target="_blank"></a></p><div style="color:rgb(0,0,0);font-family:Times;font-size:medium;background-image:url("https://www.cloudflare.com/img/signature-cloud.png");width:200px;height:30px"></div><p style="font-family:Helvetica;font-size:12px;color:rgb(64,64,64)"><b>PGP:</b> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/BBAA6BCE33057FD66452711557B60114DE0B314D" style="color:rgb(47,123,191)" target="_blank">BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D</a></p></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 6, 2021 at 2:49 PM Mark Andrews <<a href="mailto:marka@isc.org">marka@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
> On 7 Apr 2021, at 05:59, Arne Jensen <<a href="mailto:darkdevil@darkdevil.dk" target="_blank">darkdevil@darkdevil.dk</a>> wrote:<br>
> <br>
> <br>
> Den 06-04-2021 kl. 21:47 skrev Seth Mattinen:<br>
>> <br>
>>> <br>
>>> What kind of local problem or network problems could cause a servfail<br>
>>> response from the authoritative ns?<br>
>> <br>
>> <br>
>> <br>
>> I'm beginning to think this is a DNSSEC related problem, I'll ask on<br>
>> the pdns-users list. I see it's asking for a DS record on<br>
>> <a href="http://login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net</a> when the nearest one appears to<br>
>> be at <a href="http://cloudflare.net" rel="noreferrer" target="_blank">cloudflare.net</a>, so for some reason that's not being applied all<br>
>> the way down.<br>
> <br>
> I do somehow take that "local problem" part back again, which also<br>
> wasn't intended exactly in the way that it was written:<br>
> <br>
> -><br>
> <a href="https://dnssec-analyzer.verisignlabs.com/login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">https://dnssec-analyzer.verisignlabs.com/login.authorize.net.cdn.cloudflare.net</a><br>
> <br>
> Is looking at <a href="http://login.authorize.net.cdn.cloudflare.net/DNSKEY" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net/DNSKEY</a>, but failing<br>
> due to the SERVFAIL.<br>
> <br>
> -> <a href="https://dnsviz.net/d/login.authorize.net.cdn.cloudflare.net/dnssec/" rel="noreferrer" target="_blank">https://dnsviz.net/d/login.authorize.net.cdn.cloudflare.net/dnssec/</a><br>
> <br>
> Seems to claim that it works just fine.<br>
> <br>
> Asking <a href="http://login.authorize.net.cdn.cloudflare.net/DNSKEY" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net/DNSKEY</a> or<br>
> <a href="http://login.authorize.net.cdn.cloudflare.net/DS" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net/DS</a> returns SERVFAIL here too.<br>
> <br>
> <br>
> But I don't think you should be querying /DNSKEY or /DS, except a the<br>
> (current) delegation's root, e.g. as you say yourself, at<br>
> "<a href="http://cloudflare.net" rel="noreferrer" target="_blank">cloudflare.net</a>" in this case.<br>
<br>
It shouldn’t matter if you query for them. If the records don’t exist then<br>
you should get back NOERROR/NODATA responses with NSEC/NSEC3 records to prove<br>
those responses.<br>
<br>
Note the server claims that TXT records exist at <a href="http://login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net</a><br>
but can’t return them. <br>
<br>
<br>
% dig <a href="http://login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net</a> type65 @<a href="http://198.41.222.31" rel="noreferrer" target="_blank">198.41.222.31</a> +dnssec<br>
<br>
; <<>> DiG 9.15.4 <<>> <a href="http://login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net</a> type65 @<a href="http://198.41.222.31" rel="noreferrer" target="_blank">198.41.222.31</a> +dnssec<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1641<br>
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 1232<br>
;; QUESTION SECTION:<br>
;<a href="http://login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net</a>. IN TYPE65<br>
<br>
;; AUTHORITY SECTION:<br>
<a href="http://cloudflare.net" rel="noreferrer" target="_blank">cloudflare.net</a>. 5 IN SOA <a href="http://ns1.cloudflare.net" rel="noreferrer" target="_blank">ns1.cloudflare.net</a>. <a href="http://dns.cloudflare.com" rel="noreferrer" target="_blank">dns.cloudflare.com</a>. 1617743605 10000 2400 604800 5<br>
<a href="http://login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net</a>. 5 IN NSEC \<a href="http://000.login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">000.login.authorize.net.cdn.cloudflare.net</a>. A HINFO MX TXT AAAA LOC SRV NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 SPF URI CAA<br>
<a href="http://cloudflare.net" rel="noreferrer" target="_blank">cloudflare.net</a>. 5 IN RRSIG SOA 13 2 5 20210407221325 20210405201325 34505 <a href="http://cloudflare.net" rel="noreferrer" target="_blank">cloudflare.net</a>. BfBNcB9zG3T6d7mu5okde144g0OlxBazynPBD78o/ig5y0JHWo+L2ufu mhSfOquAkq6lqa/V+3yySMERlQKcIQ==<br>
<a href="http://login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net</a>. 5 IN RRSIG NSEC 13 6 5 20210407221325 20210405201325 34505 <a href="http://cloudflare.net" rel="noreferrer" target="_blank">cloudflare.net</a>. +shgKZcdkQZvH9ZFEZvdXyHe7+FkX1mCit9xe4V7A+uEEYi3L7vnf16x Wyvzs0o4TlQiOJlYBG4vEkKE3d8NwQ==<br>
<br>
;; Query time: 17 msec<br>
;; SERVER: 198.41.222.31#53(198.41.222.31)<br>
;; WHEN: Wed Apr 07 07:13:25 AEST 2021<br>
;; MSG SIZE rcvd: 417<br>
<br>
% <br>
<br>
% dig <a href="http://login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net</a> txt @<a href="http://198.41.222.31" rel="noreferrer" target="_blank">198.41.222.31</a> +dnssec<br>
<br>
; <<>> DiG 9.15.4 <<>> <a href="http://login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net</a> txt @<a href="http://198.41.222.31" rel="noreferrer" target="_blank">198.41.222.31</a> +dnssec<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46557<br>
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br>
;; WARNING: recursion requested but not available<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags: do; udp: 1232<br>
;; QUESTION SECTION:<br>
;<a href="http://login.authorize.net.cdn.cloudflare.net" rel="noreferrer" target="_blank">login.authorize.net.cdn.cloudflare.net</a>. IN TXT<br>
<br>
;; Query time: 15 msec<br>
;; SERVER: 198.41.222.31#53(198.41.222.31)<br>
;; WHEN: Wed Apr 07 07:14:22 AEST 2021<br>
;; MSG SIZE rcvd: 67<br>
<br>
%<br>
<br>
> Or if "<a href="http://cdn.cloudflare.net" rel="noreferrer" target="_blank">cdn.cloudflare.net</a>" had been a sub-delegation, then at that point...<br>
> <br>
> -- <br>
> Med venlig hilsen / Kind regards,<br>
> Arne Jensen<br>
> <br>
> <br>
<br>
-- <br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: +61 2 9871 4742 INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br>
<br>
</blockquote></div>