CF DNS resolvers returns EDE: 7 (Signature Expired)

SylwesterZ · May 12, 2023, 8:37am

I’ve received complaing from customer, which sends and e-mail to us and it can’t be delivered because of domain verification error for domain @orifarm.com.

# dig mx orifarm.com @1.1.1.1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 7 (Signature Expired): (failed to verify orifarm.com. MX: RRSIG orifarm.com., expiration = 1683617640)

Other resolver:

#  dig mx orifarm.com @8.8.8.8

;; ANSWER SECTION:
orifarm.com.            3575    IN      MX      10 orifarm-com.mail.protection.outlook.com.
orifarm.com.            3575    IN      MX      20 orifarm-com.mail.protection.outlook.com.
orifarm.com.            3575    IN      MX      30 orifarm-com.mail.protection.outlook.com.

After some digging it looks like local (Poland) CF servers have some stale cache for this domain, because i see from my server:

# dig dnskey orifarm.com @1.1.1.1

;; ANSWER SECTION:
orifarm.com.            173     IN      DNSKEY  256 3 8 AwEAAa8Yu97Y8BmEbP98xChekGDbZljBrHKeJYHnqKVwQGBzlUwkQN4Z KFVtsHFjl01+u/BJEaIJ5aLVptTS8av6XpnzqE4zqIHKG5CgjLOh7/0I dd3+fb0ZY/IepvLeCSsUIEwV6eFpTGF84iJZabEibG6jMlTWuDHxUFGF GE9NJ9pZeEInvbugAA1hGJmdP0Q9Wl+pCQRY8I85zT/TUV+hO/RAn/OX ilAp0krOgmral48ejb0SaNlGhF8c+wkCAYMqu6x4ziTqzII0nHQtpKQf /K8NJPuHrOitBJdQDwgIZjPmyWex4Ubk6oow+DX1KDWgIBCRW8NP6Tg1 wG+fkuwmnbk=
orifarm.com.            173     IN      DNSKEY  256 3 8 AwEAAcCkayIbqGFpho4SCIWABvUXqHR0fJjOak6CcskDzJNc8xeJrss8 s0dpidZAlLUUB2Lr9cnLjx21q5MOHqjjeAGc1uPfcAvia+AXXxptwT/U QZN8+NolUIdOH1t8ZDxF296OYTJ9K+7dJsuiRxypYRWKYPs7ZILLCJbT Jj6cXGa+SLmUDu1adBxfcP2QDCiOJPksXbzLY+MPQg1mVx+2jZuJRpmh GP8JAM0PujRmX22O7HdhJj+vWVcEoeLdG1ZaQxuVfhiW/lTAnR6nLBoI 6A2FeD2Rcm0BJ98ackSWbJZcFZ2MljaDVA5Dd6LlxK7ow9Hf1+57APE5 htWIHqWrkCc=
orifarm.com.            173     IN      DNSKEY  256 3 8 AwEAAe1QCeOvj7nhF+/0LIL+3t9oJTLp9cMSao/vSjYSYZSxjHDfLwao HG6SNPpkOgtWDsOzzTjBjJi0HjJNMifyVIcv0tTPZF/t/Nu+eQSfpQku cVpfbJ5PaRZBnLiyrWJk2yL4pEa2eGtrMqjBHqppDJudbpdXNoLd3E6x oblWPc9wYXv/Gqkca9TrfUPVPAIT1fKQN3ManGyjNQyTWosuYwMmEZUD 2+K5KZkprI2hdJyYcnMNKGeves93UpYL0bWeKAA317JYoLppLJwHdoue /Z+ukm8FAmW4HXMKwLihg8KsajYW8w72jpLoka7Ign69T4ca1pjzqXAA prsj9nH3Mf0=
orifarm.com.            173     IN      DNSKEY  257 3 8 AwEAAbgLDB2fn6VIMRjJcpa/Lf5USET5RaiKk3/84hbJOJnFAJaLOPq6 iw4eEdgL/wMQs56IM5QYTqqT2v5zX6fHtD7Ps3ACnk7dw2GsepgW6F0a 44LnRGUPp0GuA4vkhN+M3IncdqfBj3lIEswAr9v3nC4UMWS3aFkOBZK3 rWYkSTNOxcBoWd8ekW7H9D4P04eUBehx0pQeedyJdcrtMbgh6XnIudsk zCltM8ekumfEWvaWSzf5xrQVEc40nKiUhFmz02S88i6tMglVCt5Bvlkj MB+ML5uuwkT2ILMqy7BKQCI9Fc7yrleB9nJ6pgJl2eiBQ6tj/ELwnl9G yZ6XHtRIyVM=

And using other resolver:

# dig dnskey orifarm.com @8.8.8.8

orifarm.com.            3600    IN      DNSKEY  256 3 8 AwEAAe1QCeOvj7nhF+/0LIL+3t9oJTLp9cMSao/vSjYSYZSxjHDfLwao HG6SNPpkOgtWDsOzzTjBjJi0HjJNMifyVIcv0tTPZF/t/Nu+eQSfpQku cVpfbJ5PaRZBnLiyrWJk2yL4pEa2eGtrMqjBHqppDJudbpdXNoLd3E6x oblWPc9wYXv/Gqkca9TrfUPVPAIT1fKQN3ManGyjNQyTWosuYwMmEZUD 2+K5KZkprI2hdJyYcnMNKGeves93UpYL0bWeKAA317JYoLppLJwHdoue /Z+ukm8FAmW4HXMKwLihg8KsajYW8w72jpLoka7Ign69T4ca1pjzqXAA prsj9nH3Mf0=
orifarm.com.            3600    IN      DNSKEY  257 3 8 AwEAAbgLDB2fn6VIMRjJcpa/Lf5USET5RaiKk3/84hbJOJnFAJaLOPq6 iw4eEdgL/wMQs56IM5QYTqqT2v5zX6fHtD7Ps3ACnk7dw2GsepgW6F0a 44LnRGUPp0GuA4vkhN+M3IncdqfBj3lIEswAr9v3nC4UMWS3aFkOBZK3 rWYkSTNOxcBoWd8ekW7H9D4P04eUBehx0pQeedyJdcrtMbgh6XnIudsk zCltM8ekumfEWvaWSzf5xrQVEc40nKiUhFmz02S88i6tMglVCt5Bvlkj MB+ML5uuwkT2ILMqy7BKQCI9Fc7yrleB9nJ6pgJl2eiBQ6tj/ELwnl9G yZ6XHtRIyVM=
orifarm.com.            3600    IN      DNSKEY  256 3 8 AwEAAa8Yu97Y8BmEbP98xChekGDbZljBrHKeJYHnqKVwQGBzlUwkQN4Z KFVtsHFjl01+u/BJEaIJ5aLVptTS8av6XpnzqE4zqIHKG5CgjLOh7/0I dd3+fb0ZY/IepvLeCSsUIEwV6eFpTGF84iJZabEibG6jMlTWuDHxUFGF GE9NJ9pZeEInvbugAA1hGJmdP0Q9Wl+pCQRY8I85zT/TUV+hO/RAn/OX ilAp0krOgmral48ejb0SaNlGhF8c+wkCAYMqu6x4ziTqzII0nHQtpKQf /K8NJPuHrOitBJdQDwgIZjPmyWex4Ubk6oow+DX1KDWgIBCRW8NP6Tg1 wG+fkuwmnbk=

Online DNSKEY verification sites (like mxtoolbox) show the same 3 DNSKEY entries as 8.8.8.8, thus i think problem is only near me (local servers cache).

Please help.

albert · May 12, 2023, 8:45am

You can purge 1.1.1.1’s cache here: https://1.1.1.1/purge-cache/

SylwesterZ · May 12, 2023, 9:21am

Thanks, but it looks like someone do some magic before i click purge.
Thanks also to someone .

Do You know any way to prevent or minimize these type of errors?

mvavrusa · May 18, 2023, 6:24pm

You can use lower TTL value for the records and their signatures, as that’s what tells resolver for how long to cache things. From the dig you can see the 1.1.1.1 response had the key cached for another 173 seconds, but 8.8.8.8 didn’t have it in cache (TTL = 3600 seconds, which matches the original TTL).

SylwesterZ · May 18, 2023, 8:19pm

Thanks, but it is not my domain but customer’s. This cache error was for about 3 days before cache was purged.

mvavrusa · May 19, 2023, 4:43am

There’s an upper bound on how long is resolver willing to cache (3-6 hours) regardless of the TTL, the expired signatures must have been fixed within that time frame prior to cache purge then.

SylwesterZ · May 19, 2023, 4:11pm

Very weird, because, I think, signatures was updated about 20230430161600 (RRSIG validity start date). Between 30.04 and 09.05 domain data was properly read from CF DNS servers, and between 10.05 and 12.05 - problem occurred.
I think the real culprit can’t be found now, but maybe in the future i’ll get error soon enough to post here to catch the bug.
Thanks for help.

system · June 18, 2023, 4:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL certificate outdate on some CF-Servers Security	8	33	December 5, 2024
Intermittent failure resolving some .ca sites Gateway	0	19	July 29, 2024
Error 526 but Origin Certificate Not Expired? Security	1	930	April 10, 2023
SSL Certificate renewal - ERROR Security	18	3039	July 2, 2022
Not receiving verification email for domain registered under .au Dashboard	7	1271	November 9, 2022

CF DNS resolvers returns EDE: 7 (Signature Expired)

Related topics