1.1.1.1 BUG: fails validating basic DNSSEC

Just did a DNS test from DNS OARC and the test resulted in a mediocre C grade.
Cloudflare seems to be failing the basic test of DNSSEC. Investigating this, the domain requested is clearly bogus and should not return any other result than a SERVFAIL.
Will this be fixed soon?

[email protected] ~ % dig 2uohek6j512fjfetfa7sdvo0ok.cmdns.dev.dns-oarc.net. @1.1.1.1

; <<>> DiG 9.10.6 <<>> 2uohek6j512fjfetfa7sdvo0ok.cmdns.dev.dns-oarc.net. @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44748
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 02 ("..")
;; QUESTION SECTION:
;2uohek6j512fjfetfa7sdvo0ok.cmdns.dev.dns-oarc.net. IN A

;; ANSWER SECTION:
2uohek6j512fjfetfa7sdvo0ok.cmdns.dev.dns-oarc.net. 50 IN A 77.72.225.251

;; Query time: 150 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Jul 04 19:08:02 CEST 2021
;; MSG SIZE  rcvd: 100

On Google DNS, a SERVFAIL, like it should:

[email protected] ~ % dig 2uohek6j512fjfetfa7sdvo0ok.cmdns.dev.dns-oarc.net. @8.8.8.8

; <<>> DiG 9.10.6 <<>> 2uohek6j512fjfetfa7sdvo0ok.cmdns.dev.dns-oarc.net. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59825
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;2uohek6j512fjfetfa7sdvo0ok.cmdns.dev.dns-oarc.net. IN A

;; Query time: 95 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jul 04 19:09:37 CEST 2021
;; MSG SIZE  rcvd: 78

Also on Quad9, an expected result:

[email protected] ~ % dig 2uohek6j512fjfetfa7sdvo0ok.cmdns.dev.dns-oarc.net. @9.9.9.9

; <<>> DiG 9.10.6 <<>> 2uohek6j512fjfetfa7sdvo0ok.cmdns.dev.dns-oarc.net. @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53912
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;2uohek6j512fjfetfa7sdvo0ok.cmdns.dev.dns-oarc.net. IN A

;; Query time: 223 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sun Jul 04 19:13:11 CEST 2021
;; MSG SIZE  rcvd: 78

Just tested again today, still happening.
Google, Quad9, OpenDNS and other big resolvers seem to correctly return no result, however, Cloudflare DOES. This is basic DNSSEC and should NOT fail so miserably. This is clearly a BUG. It worries me that Cloudflare has not replied on this yet.

Link to DNSVIZ


Clearly BOGUS, so should NOT return a result.

Dig web interface results:

[email protected] (Default):

[email protected] (AT&T (US)):
77.72.225.251
[email protected] (CloudFlare):
77.72.225.251
[email protected] (Comodo (US)):

[email protected] (Google):

[email protected] (HiNet (TW)):
77.72.225.251
[email protected]2 (OpenDNS):

[email protected] (Quad9):

[email protected]8 (Securolytics (CA)):
77.72.225.251
[email protected]2 (UUNET (CH)):

[email protected] (UUNET (DE)):

[email protected] (UUNET (UK)):

[email protected] (UUNET (US)):
77.72.225.251
[email protected] (Verisign (US)):

[email protected] (Yandex (RU)):
77.72.225.251

Check My DNS output:


s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net

Zone cmdns.dev.dns-oarc.net (77.72.225.250) returns NXDOMAIN for s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net

May I ask have you tried purging/flushing the DNS cache for the A, AAAA, NS, DNSKEY, DS records using below tools for main domain dns-oarc.net and then for that sub-sub-sub domain (maybe too deep one?):

QUESTION
s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net. IN A
ANSWER
Record not found!

QUESTION
s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net. IN AAAA
ANSWER
Record not found!

QUESTION
s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net. IN NS
ANSWER
Record not found!

Hm, is it really a bug at the provider server?

Therefore, may I ask is there any A or AAAA type DNS record defined at Cloudflare dashboard → DNS tab for this sub-sub-sub domain? - as far as I currently checked, none are being found and propagated/resolved on a lookup?

May I ask have you tried writing a ticket and contacting Cloudflare support due to your account and/or domain issue?

1 Like

Check My DNS” is a tool to check DNS server features by “testing your configured resolvers using your browser and special crafted domain names.” Furthermore: “With the special crafted subdomains and the ability to send “wrong” DNS answers it is possible to analyze the functionality and hopefully tell what RFCs the clients DNS resolver infrastructure supports.”

The domain (s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net) was just a test generated from the server. It will expire within 24 hours, that’s why you see an NXDOMAIN now. To create a new fresh domain like that, just run the test yourself here using Cloudflare and click on the red bar under “Basic DNS”. I just now did it and was given domain qoqpgqi1556mhd3qik1m1m3fu8.cmdns.dev.dns-oarc.net.. Then I use that domain to check, for example with dig:

[email protected] Mac % dig +short qoqpgqi1556mhd3qik1m1m3fu8.cmdns.dev.dns-oarc.net. @1.1.1.1                
77.72.225.254
[email protected] % dig +short qoqpgqi1556mhd3qik1m1m3fu8.cmdns.dev.dns-oarc.net. @9.9.9.9
[email protected] % dig +short qoqpgqi1556mhd3qik1m1m3fu8.cmdns.dev.dns-oarc.net. @8.8.8.8
[email protected] % dig +short qoqpgqi1556mhd3qik1m1m3fu8.cmdns.dev.dns-oarc.net. @208.67.222.222

and you see only Cloudflare returns something. The rest return a SERVFAIL like it’s supposed to.
And again, a dnsviz, clearly BOGUS:

Kindly thank you for the explanation as far as I haven’t knew it before until now.

I could agree on that one too as far as I remember once, while using DNSVIZ, on one of my .eu TLD being signed with DNSSEC (domain on Cloudflare), it showed an error, either all the correct settings were applied and DNSSEC was working fine.

Topic:

That DNSViz thread you sent looked very peculiar indeed and it does seem like a bug on their end. However, looking at the other resolvers (Google, Quad9 and OpenDNS), they seem to all respond with a SERVFAIL. So we could assume that the domain is actually BOGUS.

Was your DNSSEC bug fixed in the end? Perhaps Cloudflare has trouble with recently signed DNSSEC domains. As these test domains of “Check My Dns” are created just at that moment and other domains, like the test here, are signed for quite some time and seem to work fine.

Thanks for feedback.

Hm, from different tests, it seems to be ok, but using DNSVIZ it is still the same - “timed out or failed” for nl.dns.eu, so I am not sure if it actually works as it is supposed to.

But who knows :thinking:

Update to not automatically have this thread closed: this has still not been fixed as of 2021-08-27.

Hi, the ; OPT=15: 00 02 ("..") in your dig response means that the DS digest algorithm is unsupported (see code 2 in RFC 8914 - Extended DNS Errors) which also means you get an insecure response back (AD flag is missing). This is not the most accurate error code, but the reason for this is the signature length for SEP key is shorter than the expected hash length (which is 256 bits for RSASHA256), so there’s no way to use it verify the record its signing. I agree it would be better to treat it as a bogus than invalid data in this case, I’ll create a ticket to track this.

Please keep me posted for any updates on the ticket :smiley::logopulse: