1.1.1.1 can't resolve m.geektimes.com


#1

Subj! Other DNS servers resolve it correctly. Pls, look into this.

[2.4.3-RELEASE][[email protected]]/root: dig @1.1.1.1 m.geektimes.com

; <<>> DiG 9.11.2-P1 <<>> @1.1.1.1 m.geektimes.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23999
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;m.geektimes.com.               IN      A

;; AUTHORITY SECTION:
geektimes.com.          1659    IN      SOA     ns1.habradns.net. nsmaster.habralab.ru. 2018042605 3600 900 604800 3600

;; Query time: 4 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed May 02 11:32:19 MSK 2018
;; MSG SIZE  rcvd: 116

[2.4.3-RELEASE][[email protected]]/root: dig @9.9.9.9 m.geektimes.com    

; <<>> DiG 9.11.2-P1 <<>> @9.9.9.9 m.geektimes.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35420
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;m.geektimes.com.               IN      A

;; ANSWER SECTION:
m.geektimes.com.        3600    IN      CNAME   geektimes.com.
geektimes.com.          3600    IN      A       178.248.237.68

;; Query time: 362 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Wed May 02 11:32:28 MSK 2018
;; MSG SIZE  rcvd: 74

[2.4.3-RELEASE][[email protected]]/root: dig @8.8.8.8 m.geektimes.com    

; <<>> DiG 9.11.2-P1 <<>> @8.8.8.8 m.geektimes.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65485
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;m.geektimes.com.               IN      A

;; ANSWER SECTION:
m.geektimes.com.        32      IN      CNAME   geektimes.com.
geektimes.com.          32      IN      A       178.248.237.68

;; Query time: 5 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed May 02 11:32:34 MSK 2018
;; MSG SIZE  rcvd: 74

[2.4.3-RELEASE][[email protected]]/root: dig +short CHAOS TXT id.server @1.1.1.1
"dme01"

#2

Am I misunderstanding NSEC, or do that domain’s NSEC records falsely say that zero subdomains exist?

m.geektimes.com. does exist, but if you query anything negative, and use aggressive NSEC, the whole zone will get zapped.

Right?

$ dig +dnssec l.geektimes.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec l.geektimes.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48647
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;l.geektimes.com.               IN      A

;; AUTHORITY SECTION:
geektimes.com.          3600    IN      SOA     ns1.habradns.net. nsmaster.habralab.ru. 2018042605 3600 900 604800 3600
geektimes.com.          3600    IN      RRSIG   SOA 13 2 3600 20180510000000 20180419000000 30835 geektimes.com. k2cA5Qfdyf6+/aMyndVaZUUAcvxNGBA3DWD16+c+Gdmj2UdpAUpHrQou JEKG1XVYwhm+7+imO3irJSO4JwItsQ==
geektimes.com.          3600    IN      NSEC    geektimes.com. A NS SOA MX TXT RRSIG NSEC DNSKEY CAA
geektimes.com.          3600    IN      RRSIG   NSEC 13 2 3600 20180510000000 20180419000000 30835 geektimes.com. JrQ2gYbChvHeeaCPkZ1tIlpfZ1cUedWvqEnMzcVBpPCQzl2Rb2BhYd0I Z+hhVvUgKtfu2t4e7oGnbPvrgxKLog==

;; Query time: 116 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed May 02 08:56:31 UTC 2018
;; MSG SIZE  rcvd: 373

Edit:

Right. That is what the NSEC record in an empty zone looks like.

The domain is probably using PowerDNS. The zone’s admins probably need to run “pdnsutil rectify-zone geektimes.com” (and make sure it’s not an issue in the future, or with their other zones).


#3

Thx! I’ll try to reach the geektimes support…