1.1.1.1 seems to falsely report a DNSSEC error

Hi! Other resolvers (Unbound, Bind9, 8.8.8.8, 9.9.9.9) resolve this fine. But 1.1.1.1 provides SERVFAIL:

$ dig community.inbetweencows.nl +dnssec @1.1.1.1

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> community.inbetweencows.nl +dnssec @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64328
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 6 (DNSSEC Bogus): (wildcard expansion proof for community.inbetweencows.nl.)
;; QUESTION SECTION:
;community.inbetweencows.nl.    IN      A
...

It might be related to the fact, that the response with “checking disabled” does not provide the NSEC RR in the Authority section (but the RRSIG for the missing NSEC):

$ dig a community.inbetweencows.nl.  @1.1.1.1 +dnssec +cd +nsid

; <<>> DiG 9.18.24-1-Debian <<>> a community.inbetweencows.nl. @1.1.1.1 +dnssec +cd +nsid
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18607
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; NSID: 37 32 31 6d 38 30 ("721m80")
;; QUESTION SECTION:
;community.inbetweencows.nl.    IN      A

;; ANSWER SECTION:
community.inbetweencows.nl. 600 IN      CNAME   hosting-1b.mijndomein-ws.nl.
community.inbetweencows.nl. 600 IN      RRSIG   CNAME 13 2 600 20240613000000 20240523000000 13734 inbetweencows.nl. G/naAd/7dANnCz9SmPgnaPBmL6KzXSsl2aUbHKdzBh87TPnj61nBq+mu sJOWsY4jjsNls0T0Iutq72Q2EnF/dw==
hosting-1b.mijndomein-ws.nl. 300 IN     A       34.240.160.162
hosting-1b.mijndomein-ws.nl. 300 IN     RRSIG   A 13 3 300 20240603161903 20240603141403 28943 mijndomein-ws.nl. ZFc3mr94USKorI4YxNxuTQzwaQTEt1tTwqVd1PVcj89GKX9e+xb7enmJ UAN6k9DL5VCzCbTrIoqKMTmXEawlWQ==

;; AUTHORITY SECTION:
soverin3._domainkey.inbetweencows.nl. 3600 IN RRSIG NSEC 13 4 3600 20240613000000 20240523000000 13734 inbetweencows.nl. +rTDyu5tCFgYIHcroSJF4HnvscVkYGyc3V1x2Vj8dqFYeOLG7JwoLYKN isYbcaregdBpZ5kikFX34TKQ7dSY/w==

;; Query time: 204 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon Jun 03 15:14:03 UTC 2024
;; MSG SIZE  rcvd: 476

Hi @klaus.darilion

I just ran the same commands you did and I am not getting that SERVFAIL status:

dig community.inbetweencows.nl +dnssec @1.1.1.1

; <<>> DiG 9.10.6 <<>> community.inbetweencows.nl +dnssec @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52345
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;community.inbetweencows.nl.	IN	A

Did you make any recent changes?

Hi @bujangnim,

No changes were made to this zone. We assumed you noticed the report and made a fix. For the same customer I do have more issues with wildcard CNAME records.

For example *.shotsandscenes.nl. Here I also noticed when I query a new hostname the first request may succeed, the subsequent requests for the same hostname always fail.

$ dig jolanda17121.shotsandscenes.nl @1.1.1.1 +dnssec

; <<>> DiG 9.18.24 <<>> jolanda17121.shotsandscenes.nl @1.1.1.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5428
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;jolanda17121.shotsandscenes.nl.        IN      A

;; ANSWER SECTION:
jolanda17121.shotsandscenes.nl. 600 IN  CNAME   hosting-1a.mijndomein-ws.nl.
jolanda17121.shotsandscenes.nl. 600 IN  RRSIG   CNAME 13 2 600 20240620000000 20240530000000 29766 shotsandscenes.nl. pqbtmI/Q7UtN8Ou4v8vj58A+V9I4vF4b79XZVUYgznUzdt1I5dQKUvS0 GZCVVykckTDoGMftoHVRLZJi8trhug==
hosting-1a.mijndomein-ws.nl. 300 IN     A       34.240.216.169
hosting-1a.mijndomein-ws.nl. 300 IN     RRSIG   A 13 3 300 20240607133256 20240607112756 28943 mijndomein-ws.nl. cn3TN1Sv3W99pLPzWjpGZEYCIcOvbWQxhFnU6xitDf604czczIg9TeFD mtAs1ee8bAzBt4SnnB44ec/64WSl5g==

;; AUTHORITY SECTION:
db.shotsandscenes.nl.   3600    IN      NSEC    mail.shotsandscenes.nl. CNAME RRSIG NSEC
db.shotsandscenes.nl.   3600    IN      RRSIG   NSEC 13 3 3600 20240620000000 20240530000000 29766 shotsandscenes.nl. VK0zFpfOz/LmfFcJRzJ2v7x7VOM3lYUoMOVBD0mwWiHykR0DKIkhN/HY xh8TSY/PgkHozw/afB+ytQIzY9J1Tw==

;; Query time: 43 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri Jun 07 14:27:56 CEST 2024
;; MSG SIZE  rcvd: 499
$ dig jolanda17121.shotsandscenes.nl @1.1.1.1 +dnssec

; <<>> DiG 9.18.24 <<>> jolanda17121.shotsandscenes.nl @1.1.1.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59108
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 6 (DNSSEC Bogus): (wildcard expansion proof for jolanda17121.shotsandscenes.nl.)
;; QUESTION SECTION:
;jolanda17121.shotsandscenes.nl.        IN      A

;; Query time: 67 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri Jun 07 14:27:58 CEST 2024
;; MSG SIZE  rcvd: 125

Hi @bujangnim,

After submitting the above I ran the query again and now it dit work. So I kept running it every few seconds and it was flipping between working an not working for a few minutes. (Maybe I was hitting different instances on you side?) After a few minutes I stopped seeing errors.

However when I use a tool like digwebinterface.com I keep getting random errors;

[email protected] (Cloudflare):  Copy results to clipboard

[email protected] (Google):  Copy results to clipboard
randomsubdomain1.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Quad9):  Copy results to clipboard
randomsubdomain1.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169

[email protected] (Cloudflare):  Copy results to clipboard

[email protected] (Google):  Copy results to clipboard
randomsubdomain2.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Quad9):  Copy results to clipboard
randomsubdomain2.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 60	IN	A	34.240.216.169

[email protected] (Cloudflare):  Copy results to clipboard
randomsubdomain3.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Google):  Copy results to clipboard
randomsubdomain3.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Quad9):  Copy results to clipboard
randomsubdomain3.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 86	IN	A	34.240.216.169

[email protected] (Cloudflare):  Copy results to clipboard

[email protected] (Google):  Copy results to clipboard
randomsubdomain4.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Quad9):  Copy results to clipboard
randomsubdomain4.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169

[email protected] (Cloudflare):  Copy results to clipboard

[email protected] (Google):  Copy results to clipboard
randomsubdomain5.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Quad9):  Copy results to clipboard
randomsubdomain5.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 298 IN	A	34.240.216.169

[email protected] (Cloudflare):  Copy results to clipboard
randomsubdomain6.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Google):  Copy results to clipboard
randomsubdomain6.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Quad9):  Copy results to clipboard
randomsubdomain6.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169

[email protected] (Cloudflare):  Copy results to clipboard

[email protected] (Google):  Copy results to clipboard
randomsubdomain7.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Quad9):  Copy results to clipboard
randomsubdomain7.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 58	IN	A	34.240.216.169

[email protected] (Cloudflare):  Copy results to clipboard

[email protected] (Google):  Copy results to clipboard
randomsubdomain8.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Quad9):  Copy results to clipboard
randomsubdomain8.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169

[email protected] (Cloudflare):  Copy results to clipboard

[email protected] (Google):  Copy results to clipboard
randomsubdomain9.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Quad9):  Copy results to clipboard
randomsubdomain9.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169

[email protected] (Cloudflare):  Copy results to clipboard

[email protected] (Google):  Copy results to clipboard
randomsubdomain0.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 300 IN	A	34.240.216.169
[email protected] (Quad9):  Copy results to clipboard
randomsubdomain0.shotsandscenes.nl. 600	IN CNAME hosting-1a.mijndomein-ws.nl.
hosting-1a.mijndomein-ws.nl. 57	IN	A	34.240.216.169

@bujangnim Still failing randomly about 60% of the times;

@bujangnim Still failing randomly.

shotsandscenes.nl switched to a A record so that domain is not affected anymore, here is another example for fwdwebdesign.nl

Hi, sorry for the trouble on resolving related domain names.

The issue was confirmed by the team when we received the first report and a new release including the bugfix for this issue was scheduled. Currently, some servers get the update but some hasn’t yet.

You should no longer hitting the issue after another 24 hours (when mostly all servers get the updates).

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.