1.1.1.1 + DNSSEC = SERVFAIL on some domains

dash-dns
dns-resolver
#1

Hi,

It’s just to report back this issue about DNSSEC, when 1.1.1.1 is used with DNSSEC some domain are not resolved (works with other providers) namely this domain watchub.pw does not work when DNSSEC is enabled.

How to reproduce :

[[email protected]]# nslookup watchub.pw
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can’t find watchub.pw: SERVFAIL

I just solved this by adding an other provider, and posted here to let you know :wink:

Thanks

#2

watchub.pw. has a CNAME record pointing to watchub.herokuapp.com..

It’s illegal for the apex of a zone to have a CNAME record. Sometimes resolvers will return SERVFAIL.

You’re probably running into this issue:

When Unbound sends a watchub.pw. DS query, 1.1.1.1 may return the CNAME instead of a NODATA response, leaving Unbound unable to figure out whether the zone uses DNSSEC, and forcing it to respond with SERVFAIL.

watchub.pw. won’t work reliably as long as it doesn’t follow the DNS standards.

2 Likes
#3

Thanks for pointing that out… i did notice it indeed, it just that other dns resolver did not return SERVFAIL, i thought that may be could be important for cloudflare :slight_smile: … any way i will let the developer of that website know :wink:

#4

The other resolver might not work that way in the future – it might have a workaround for this problem, or it might have just coincidentally returned the proper DS response this time because it didn’t have the CNAME record cached.

1 Like