1.1.1.1 RPKI Origin Validation on IPv4 Much Slower than on IPv6

I noticed that testing of RPKI origin validation on Check My DNS always hangs when validating RPKI on IPv4-only enabled servers.

Down below I have made the two requests using DiG showing this. IPv4 validation takes almost 6 times longer than IPv6.

P.S., yes, it does not matter if it’s an A or AAAA request, as the DNS server should not return any result if the RPKI origin validation fails – but if RPKI validation is not enabled the particular servers only return AAAA records for IPv6 tests and A records for the and IPv4 tests.

IPv6

[email protected] ~ % dig t8vcjetem10p36hs6qumuapoko.cmdns.dev.dns-oarc.net. @1.1.1.1 aaaa

; <<>> DiG 9.10.6 <<>> t8vcjetem10p36hs6qumuapoko.cmdns.dev.dns-oarc.net. @1.1.1.1 aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48591
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 06 ("..")
; OPT=15: 00 16 ("..")
;; QUESTION SECTION:
;t8vcjetem10p36hs6qumuapoko.cmdns.dev.dns-oarc.net. IN AAAA

;; Query time: 706 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Oct 17 12:03:26 CEST 2021
;; MSG SIZE  rcvd: 90

IPv4

[email protected] ~ % dig 7qhkvm0tf56ll6hasaj648dno0.cmdns.dev.dns-oarc.net. @1.1.1.1 a

; <<>> DiG 9.10.6 <<>> 7qhkvm0tf56ll6hasaj648dno0.cmdns.dev.dns-oarc.net. @1.1.1.1 a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25962
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 06 ("..")
; OPT=15: 00 16 ("..")
;; QUESTION SECTION:
;7qhkvm0tf56ll6hasaj648dno0.cmdns.dev.dns-oarc.net. IN A

;; Query time: 3996 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Oct 17 12:03:37 CEST 2021
;; MSG SIZE  rcvd: 90

Hi @milk

For the failure case, the name server doesn’t respond with anything, resulting resolver time out. The total time around 4s is expected, while less time could due to negative caching.

Ah yes, of course, if the RPKI validation fails there is no response. Would it be possible to let the resolver know that the validation failed so it could immediately return a SERVFAIL instead of waiting for a timeout?

I noticed that for IPv4 1.1.1.1 has a timeout of around 4000ms, while for IPv6 it’s only around 700ms. Is there a reason between the big difference? I also tested OpenDNS’s resolver and noticed they have a timeout of around 1000ms for IPv4 and 2500ms for IPv6.

Would it be an option to lower the timeout for IPv4 queries? Perhaps to 1000ms? @anb

IPv4 Test 1.1.1.1 (with RPKI) – Returns SERVFAIL after ~4000ms

[email protected] ~ % dig va1c24m46169da6rchmj72ca2c.cmdns.dev.dns-oarc.net. @1.1.1.1 a       

; <<>> DiG 9.10.6 <<>> va1c24m46169da6rchmj72ca2c.cmdns.dev.dns-oarc.net. @1.1.1.1 a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36312
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 06 ("..")
; OPT=15: 00 16 ("..")
;; QUESTION SECTION:
;va1c24m46169da6rchmj72ca2c.cmdns.dev.dns-oarc.net. IN A

;; Query time: 4012 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Oct 19 10:59:23 CEST 2021
;; MSG SIZE  rcvd: 90

IPv4 Test OpenDNS (with RPKI) – Returns SERVFAIL after ~1000ms

[email protected] ~ % dig va1c24m46169da6rchmj72ca2c.cmdns.dev.dns-oarc.net. @208.67.222.222 a

; <<>> DiG 9.10.6 <<>> va1c24m46169da6rchmj72ca2c.cmdns.dev.dns-oarc.net. @208.67.222.222 a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29080
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; OPT=15: 00 0e ("..")
;; QUESTION SECTION:
;va1c24m46169da6rchmj72ca2c.cmdns.dev.dns-oarc.net. IN A

;; Query time: 1065 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Oct 19 10:59:31 CEST 2021
;; MSG SIZE  rcvd: 84

IPv4 Test Google (without RPKI) – Returns reply

[email protected] ~ % dig va1c24m46169da6rchmj72ca2c.cmdns.dev.dns-oarc.net. @8.8.8.8 a       

; <<>> DiG 9.10.6 <<>> va1c24m46169da6rchmj72ca2c.cmdns.dev.dns-oarc.net. @8.8.8.8 a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2070
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;va1c24m46169da6rchmj72ca2c.cmdns.dev.dns-oarc.net. IN A

;; ANSWER SECTION:
va1c24m46169da6rchmj72ca2c.cmdns.dev.dns-oarc.net. 60 IN A 77.72.225.250

;; Query time: 218 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct 19 10:59:35 CEST 2021
;; MSG SIZE  rcvd: 94

IPv6 Test 1.1.1.1 (with RPKI) – Returns SERVFAIL after ~750ms

[email protected] ~ % dig khrkd4ii71093890pdlodivhr0.cmdns.dev.dns-oarc.net. @1.1.1.1 aaaa

; <<>> DiG 9.10.6 <<>> khrkd4ii71093890pdlodivhr0.cmdns.dev.dns-oarc.net. @1.1.1.1 aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27730
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 06 ("..")
; OPT=15: 00 16 ("..")
;; QUESTION SECTION:
;khrkd4ii71093890pdlodivhr0.cmdns.dev.dns-oarc.net. IN AAAA

;; Query time: 816 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Oct 19 10:59:42 CEST 2021
;; MSG SIZE  rcvd: 90

IPv6 Test OpenDNS (with RPKI) – Returns SERVFAIL after ~2000ms

[email protected] ~ % dig khrkd4ii71093890pdlodivhr0.cmdns.dev.dns-oarc.net. @208.67.222.222 aaaa

; <<>> DiG 9.10.6 <<>> khrkd4ii71093890pdlodivhr0.cmdns.dev.dns-oarc.net. @208.67.222.222 aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50550
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; OPT=15: 00 18 ("..")
;; QUESTION SECTION:
;khrkd4ii71093890pdlodivhr0.cmdns.dev.dns-oarc.net. IN AAAA

;; Query time: 2105 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Oct 19 10:59:49 CEST 2021
;; MSG SIZE  rcvd: 84

IPv4 Test Google (without RPKI) – Returns reply

[email protected] ~ % dig khrkd4ii71093890pdlodivhr0.cmdns.dev.dns-oarc.net. @8.8.8.8 aaaa       

; <<>> DiG 9.10.6 <<>> khrkd4ii71093890pdlodivhr0.cmdns.dev.dns-oarc.net. @8.8.8.8 aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3510
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;khrkd4ii71093890pdlodivhr0.cmdns.dev.dns-oarc.net. IN AAAA

;; ANSWER SECTION:
khrkd4ii71093890pdlodivhr0.cmdns.dev.dns-oarc.net. 60 IN AAAA 2a01:3f0:0:57::250

;; Query time: 145 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct 19 10:59:53 CEST 2021
;; MSG SIZE  rcvd: 106

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.