Fail to resolve wildcard domains when using DNS over TLS

Since last week I’m failing to resolve certain domains using unbound and forwarding to 1.1.1.1 and using DNS over TLS. If I don’t use TLS, the domains resolve fine.

I think the problem is related to wildcard domains. For example: jorti.fedoraproject.org. When forwarding unbound to [email protected] using DNS over TLS, I get a SERVFAIL response:

[...]
mar 19 23:10:24 unbound[67076]: [67076:3] info: verify rrset jorti.fedorapeople.org. A IN
mar 19 23:10:24 unbound[67076]: [67076:3] debug: verify sig 378 5
mar 19 23:10:24 unbound[67076]: [67076:3] debug: verify result: sec_status_secure
mar 19 23:10:24 unbound[67076]: [67076:3] debug: Validating a positive response
mar 19 23:10:24 unbound[67076]: [67076:3] debug: positive response was wildcard expansion and did not prove original data did not exist
mar 19 23:10:24 unbound[67076]: [67076:3] info: validate(positive): sec_status_bogus
[...]

If I query [email protected] without TLS, I can resolve it fine.

With Google’s [email protected] + TLS, I can resolve it too.

Is this a known problem?

Thank you.

Thanks @jorti this is super helpful, I’ll take a look.

Hi, I was debugging what I thought was a different issue but now appears to be a dupe of this one.

I wanted to confirm that I see the problem, but I believe you got the domain wrong which might make debugging harder. I think you’re referring to jorti.fedorapeople.org. Indeed I see a SERVFAIL on every subdomain, *.fedorapeople.org.

Edit: a little investigating reveals that this seems to be a problem with 1.1.1.1, not with Unbound or with TLS specifically. The following command fails (as shown) with 1.1.1.1, but succeeds with 8.8.8.8 or 9.9.9.9.

$ delv @1.1.1.1 jorti.fedorapeople.org 
;; no valid NSEC resolving 'jorti.fedorapeople.org/A/IN': 1.1.1.1#53
;; resolution failed: no valid NSEC

Edit: Looks like these are all cases where the subdomains are resolved through wildcard records. The problem seems to be that Cloudflare isn’t providing the data for downstream resolvers to verify the NSEC for the subdomain in these cases. I can validate Cloudflare’s negative response for x.example.org, so NSECs are being correctly sent for NXDOMAIN. I think the relevant RFC bit is here.

Thanks, yes, fix is being rolled out!

Great! It’s working for me now.

Thank you.

@mvavrusa maybe the fix is not fully rolled out? I’m also having problems with this domain:

gss--c.na94.visual.force.com

Hi, it should be almost fully rolled out by now.