1.1.1.1 ; DNSSEC-Issue for Rootserver-Hosts .club (further TLDs)

Currently I experiance issues to resolve the hostnames for .club root servers, which is not always reproducible. I use 1.1.1.1 as a resolver for this.

Other DNSSEC validating resolvers resolve the hosts reliably. DNSviz https://dnsviz.net/d/nic.club/ZaQZ8A/dnssec/ shows now warnings or other hints.

Any ideas?

#######
%dig @1.1.1.1 a.nic.club +dnssec +nsid

; <<>> DiG 9.18.18-0ubuntu0.23.04.1-Ubuntu <<>> @1.1.1.1 a.nic.club +dnssec +nsid
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2502
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for nic.club.)
; EDE: 22 (No Reachable Authority): (at delegation nic.club.)
; NSID: 33 37 33 6d 37 30 ("373m70")
;; QUESTION SECTION:
;a.nic.club.                    IN      A

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sun Jan 14 18:58:06 CET 2024
;; MSG SIZE  rcvd: 126

##
; <<>> DiG 9.18.18-0ubuntu0.23.04.1-Ubuntu <<>> @1.1.1.1 a.nic.club +dnssec +nsid
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30397
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; NSID: 33 37 36 6d 32 ("376m2")
;; QUESTION SECTION:
;a.nic.club.                    IN      A

;; ANSWER SECTION:
a.nic.club.             86400   IN      A       37.209.192.10
a.nic.club.             86400   IN      RRSIG   A 8 3 86400 20240212093309 20240113091612 46170 nic.club. Rizji69oY/6R+l+6ZsRaPhnR5AdRNMk1NXH66S6cLLl5nODPqv/UKOu4 OcvmdTReHSj6v0O8he9hhJs1aqWkrrx4gJJ0kBqvZ91y0umpZ3c/1tfg 2z2mXnN88Xn3cnDxBvUh/ONjo92gYPJs21CBRNiwIbfXZzguZtDXIbrS d/mrfCc/mE/UwbC7xCVN/UeHTH2aNHyVxsBeoHrme5BZyA==

;; Query time: 4 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sun Jan 14 18:58:07 CET 2024
;; MSG SIZE  rcvd: 264
#####

The resoling issue remains. Have cross-checked many validating resolvers. All of them validate the .club-hosts correctly.

1.)
%delv +vtrace a.nic.club @1.1.1.1
;; fetch: a.nic.club/A
;; resolution failed: SERVFAIL

2.)

% delv +vtrace a.nic.club @1.1.1.1
;; fetch: a.nic.club/A
;; validating a.nic.club/A: starting
;; validating a.nic.club/A: attempting positive response validation
;; fetch: nic.club/DNSKEY
;; validating nic.club/DNSKEY: starting
;; validating nic.club/DNSKEY: attempting positive response validation
;; fetch: nic.club/DS
;; validating nic.club/DS: starting
;; validating nic.club/DS: attempting positive response validation
;; fetch: club/DNSKEY
;; validating club/DNSKEY: starting
;; validating club/DNSKEY: attempting positive response validation
;; fetch: club/DS
;; validating club/DS: starting
;; validating club/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=20326): success
;; validating ./DNSKEY: marking as secure (DS)
;; validating club/DS: in fetch_callback_dnskey
;; validating club/DS: keyset with trust secure
;; validating club/DS: resuming validate
;; validating club/DS: verify rdataset (keyid=30903): success
;; validating club/DS: marking as secure, noqname proof not needed
;; validating club/DNSKEY: in fetch_callback_ds
;; validating club/DNSKEY: dsset with trust secure
;; validating club/DNSKEY: verify rdataset (keyid=54682): success
;; validating club/DNSKEY: marking as secure (DS)
;; validating nic.club/DS: in fetch_callback_dnskey
;; validating nic.club/DS: keyset with trust secure
;; validating nic.club/DS: resuming validate
;; validating nic.club/DS: verify rdataset (keyid=15345): success
;; validating nic.club/DS: marking as secure, noqname proof not needed
;; validating nic.club/DNSKEY: in fetch_callback_ds
;; validating nic.club/DNSKEY: dsset with trust secure
;; validating nic.club/DNSKEY: verify rdataset (keyid=33940): success
;; validating nic.club/DNSKEY: marking as secure (DS)
;; validating a.nic.club/A: in fetch_callback_dnskey
;; validating a.nic.club/A: keyset with trust secure
;; validating a.nic.club/A: resuming validate
;; validating a.nic.club/A: verify rdataset (keyid=46170): success
;; validating a.nic.club/A: marking as secure, noqname proof not needed
; fully validated
a.nic.club.             86374   IN      A       37.209.192.10
a.nic.club.             86374   IN      RRSIG   A 8 3 86400 20240212093309 20240113091612 46170 nic.club. Rizji69oY/6R+l+6ZsRaPhnR5AdRNMk1NXH66S6cLLl5nODPqv/UKOu4 OcvmdTReHSj6v0O8he9hhJs1aqWkrrx4gJJ0kBqvZ91y0umpZ3c/1tfg 2z2mXnN88Xn3cnDxBvUh/ONjo92gYPJs21CBRNiwIbfXZzguZtDXIbrS d/mrfCc/mE/UwbC7xCVN/UeHTH2aNHyVxsBeoHrme5BZyA==

3.)

%delv +vtrace a.nic.club @1.1.1.1
;; fetch: a.nic.club/A
;; resolution failed: SERVFAIL

Maybe its an incompatibility with TLDs from Go Daddy Registry? .design-Hosts suffer.

kdig @1.1.1.1 b.nic.design +nsid
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 38677
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; EDE: 9 (DNSKEY Missing): 'no SEP matching the DS found for nic.design.'
;; EDE: 22 (No Reachable Authority): 'at delegation nic.design.'
;; NSID: 3537306D313138 "570m118"

;; QUESTION SECTION:
;; b.nic.design.                IN      A

;; Received 133 B
;; Time 2024-01-16 22:25:16 CET
;; From 1.1.1.1@53(UDP) in 9.4 ms
1 Like

Hi @DasKutti,

Thanks for raising this up. The cause of the issue is: (a) 1.1.1.1 uses qname minimisation(RFC-7816), and (b) glue records are missing from some of the nameserver responses(see below). We’ll have a workaround to fix this later.

# query sent to ns1.dns.nic.club
dig @156.154.144.215 nic.club +nord

; <<>> DiG 9.18.19 <<>> @156.154.144.215 nic.club +nord
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49122
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nic.club.                      IN      A

;; ANSWER SECTION:
nic.club.               600     IN      A       34.204.39.241
nic.club.               600     IN      A       54.85.227.149

;; AUTHORITY SECTION:
nic.club.               86400   IN      NS      a.nic.club.
nic.club.               86400   IN      NS      b.nic.club.
nic.club.               86400   IN      NS      c.nic.club.
nic.club.               86400   IN      NS      ns1.dns.nic.club.
nic.club.               86400   IN      NS      ns2.dns.nic.club.
nic.club.               86400   IN      NS      ns3.dns.nic.club.

;; Query time: 19 msec
;; SERVER: 156.154.144.215#53(156.154.144.215) (UDP)
;; WHEN: Tue Jan 23 11:27:45 PST 2024
;; MSG SIZE  rcvd: 175
1 Like

Hi @anb,

many thanks for checking this issue.

Ca confirm, that - in the meantime - no more ServerFail is returned. Probably CF still works on the workaround to fix this issue.

Anyway: Thank you very much for the great technical support!

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 39014
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; EDE: 3 (Stale Answer)
;; EDE: 9 (DNSKEY Missing): 'no SEP matching the DS found for nic.design.'
;; EDE: 22 (No Reachable Authority): 'at delegation nic.design.'
;; NSID: 3630386D3738 "608m78"

;; QUESTION SECTION:
;; a.nic.design.                IN      A

;; ANSWER SECTION:
a.nic.design.           161540  IN      A       37.209.192.10

;; Received 154 B
;; Time 2024-02-08 21:25:23 CET
;; From 1.1.1.1@53(UDP) in 14.0 ms

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.