1.1.1.1 isn't correctly resolving the ip6-servers.arpa and in-addr-servers.arpa zones

tugzrida · October 11, 2021, 10:48am

I’m seeing quite an odd error from 1.1.1.1 when trying to resolve hosts in the ip6-servers.arpa and in-addr-servers.arpa zones, which simply contain the hosts “a” through “f” for the various name servers.

Querying just the base of the zone (eg. ip6-servers.arpa) returns the SOA for that zone as expected, but querying for one of the name server names (eg. a.ip6-servers.arpa) returns an NXDOMAIN and the SOA for the arpa zone, which is especially odd: the ip6-servers.arpa zone appears to be known when querying for it directly, but when querying for names inside that zone, only the arpa zone is found.

Additionally, querying for reverse IP’s in the ip6.arpa and in-addr.arpa zones works fine, it’s just querying for the nameservers of those zones that is the issue.

Running a measurement in RIPE atlas seems to indicate that this is a global issue, and tests with other public recursors yield the expected results, so it just seems to be a configuration error on 1.1.1.1.

michael · October 11, 2021, 10:58am

Not sure if it is related, but c.ip6-servers.arpa seems to be down. Perhaps @mvavrusa can check if there is an issue?

tugzrida · October 11, 2021, 11:11am

Ah I hadn’t noticed C was down. I can ping it, but it’s not responding to queries.

I don’t think the behaviour I’m seeing would be caused by that though. If a server was not responding, I’d expect a SERVFAIL, whereas getting an NXDOMAIN with the SOA for the parent zone says to me that the resolver has no knowledge of the child zone.

If 1.1.1.1 uses a local copy of the root or arpa zones (rather than querying the root servers) and it’s mismatched or outdated, then that would make more sense to me as a cause. Perhaps some names are setup to use a local copy that doesn’t currently exist?

michael · October 11, 2021, 11:19am

Cloudflare do in fact have a local copy of the root servers, so they might only query the F-Root. https://blog.cloudflare.com/f-root/

mvavrusa · October 11, 2021, 5:34pm

Thanks for bringing this up! I don’t think roots serve ip6-servers.arpa locally, but let me check what could be the problem.

tugzrida · October 11, 2021, 10:30pm

Looks like it’s fixed now!

@mvavrusa, do you have a peek behind the curtain? I’m quite interested in what the problem could’ve been

mvavrusa · October 12, 2021, 12:27am

I still have to dig into the root cause, I suspect it’s because these two zones were treated as local, but they’re not.

tugzrida · October 12, 2021, 12:52am

Ah right, that’s pretty much what I suspected haha