nanog mailing list archives

Re: login.authorize.net has A and CNAME records

From: Justin Paine via NANOG <nanog () nanog org>
Date: Tue, 6 Apr 2021 16:31:59 -0700

For the thread -- we're aware and looking into this.  noc () cloudflare com
being the best place to report these kinds of things.

<https://www.cloudflare.com/>

__________________
*Justin Paine*
He/Him/His
Head of Trust & Safety
101 Townsend St, San Francisco, CA 94107 <https://www.cloudflare.com/>

*PGP:* BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
<https://keys.openpgp.org/vks/v1/by-fingerprint/BBAA6BCE33057FD66452711557B60114DE0B314D>


On Tue, Apr 6, 2021 at 2:49 PM Mark Andrews <marka () isc org> wrote:

On 7 Apr 2021, at 05:59, Arne Jensen <darkdevil () darkdevil dk> wrote:


Den 06-04-2021 kl. 21:47 skrev Seth Mattinen:


What kind of local problem or network problems could cause a servfail
response from the authoritative ns?




I'm beginning to think this is a DNSSEC related problem, I'll ask on
the pdns-users list. I see it's asking for a DS record on
login.authorize.net.cdn.cloudflare.net when the nearest one appears to
be at cloudflare.net, so for some reason that's not being applied all
the way down.


I do somehow take that "local problem" part back again, which also
wasn't intended exactly in the way that it was written:

->

https://dnssec-analyzer.verisignlabs.com/login.authorize.net.cdn.cloudflare.net


Is looking at login.authorize.net.cdn.cloudflare.net/DNSKEY, but failing
due to the SERVFAIL.

-> https://dnsviz.net/d/login.authorize.net.cdn.cloudflare.net/dnssec/

Seems to claim that it works just fine.

Asking login.authorize.net.cdn.cloudflare.net/DNSKEY or
login.authorize.net.cdn.cloudflare.net/DS returns SERVFAIL here too.


But I don't think you should be querying /DNSKEY or /DS, except a the
(current) delegation's root, e.g. as you say yourself, at
"cloudflare.net" in this case.


It shouldn’t matter if you query for them.  If the records don’t exist then
you should get back NOERROR/NODATA responses with NSEC/NSEC3 records to
prove
those responses.

Note the server claims that TXT records exist at
login.authorize.net.cdn.cloudflare.net
but can’t return them.


% dig login.authorize.net.cdn.cloudflare.net type65 @198.41.222.31 +dnssec

; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net type65 @
198.41.222.31 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1641
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.cdn.cloudflare.net.        IN TYPE65

;; AUTHORITY SECTION:
cloudflare.net.         5       IN      SOA     ns1.cloudflare.net.
dns.cloudflare.com. 1617743605 10000 2400 604800 5
login.authorize.net.cdn.cloudflare.net. 5 IN NSEC \
000.login.authorize.net.cdn.cloudflare.net. A HINFO MX TXT AAAA LOC SRV
NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 SPF URI CAA
cloudflare.net.         5       IN      RRSIG   SOA 13 2 5 20210407221325
20210405201325 34505 cloudflare.net.
BfBNcB9zG3T6d7mu5okde144g0OlxBazynPBD78o/ig5y0JHWo+L2ufu
mhSfOquAkq6lqa/V+3yySMERlQKcIQ==
login.authorize.net.cdn.cloudflare.net. 5 IN RRSIG NSEC 13 6 5
20210407221325 20210405201325 34505 cloudflare.net.
+shgKZcdkQZvH9ZFEZvdXyHe7+FkX1mCit9xe4V7A+uEEYi3L7vnf16x
Wyvzs0o4TlQiOJlYBG4vEkKE3d8NwQ==

;; Query time: 17 msec
;; SERVER: 198.41.222.31#53(198.41.222.31)
;; WHEN: Wed Apr 07 07:13:25 AEST 2021
;; MSG SIZE  rcvd: 417

%

% dig login.authorize.net.cdn.cloudflare.net txt @198.41.222.31 +dnssec

; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net txt @
198.41.222.31 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46557
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.cdn.cloudflare.net.        IN TXT

;; Query time: 15 msec
;; SERVER: 198.41.222.31#53(198.41.222.31)
;; WHEN: Wed Apr 07 07:14:22 AEST 2021
;; MSG SIZE  rcvd: 67

%

Or if "cdn.cloudflare.net" had been a sub-delegation, then at that

point...


--
Med venlig hilsen / Kind regards,
Arne Jensen


--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org

Current thread:

login.authorize.net has A and CNAME records Seth Mattinen (Apr 06)
- Re: login.authorize.net has A and CNAME records Seth Mattinen (Apr 06)
  - Re: login.authorize.net has A and CNAME records Arne Jensen (Apr 06)
    - Re: login.authorize.net has A and CNAME records Seth Mattinen (Apr 06)
    - Re: login.authorize.net has A and CNAME records Seth Mattinen (Apr 06)
    - Re: login.authorize.net has A and CNAME records Tony Finch (Apr 06)
    - Re: login.authorize.net has A and CNAME records Arne Jensen (Apr 06)
    - Re: login.authorize.net has A and CNAME records Mark Andrews (Apr 06)
    - Re: login.authorize.net has A and CNAME records Justin Paine via NANOG (Apr 06)
    - Re: login.authorize.net has A and CNAME records Seth Mattinen (Apr 06)
    - Re: login.authorize.net has A and CNAME records Bjørn Mork (Apr 07)
    - Re: login.authorize.net has A and CNAME records Bjørn Mork (Apr 07)
    - Re: login.authorize.net has A and CNAME records Mark Andrews (Apr 07)
    - Re: login.authorize.net has A and CNAME records Bjørn Mork (Apr 07)