Just did a DNS test from DNS OARC and the test resulted in a mediocre C grade.
Cloudflare seems to be failing the basic test of DNSSEC. Investigating this, the domain requested is clearly bogus and should not return any other result than a SERVFAIL.
Will this be fixed soon?
Just tested again today, still happening.
Google, Quad9, OpenDNS and other big resolvers seem to correctly return no result, however, Cloudflare DOES. This is basic DNSSEC and should NOT fail so miserably. This is clearly a BUG. It worries me that Cloudflare has not replied on this yet.
Zone cmdns.dev.dns-oarc.net (77.72.225.250) returns NXDOMAIN for s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net
May I ask have you tried purging/flushing the DNS cache for the A, AAAA, NS, DNSKEY, DS records using below tools for main domain dns-oarc.net and then for that sub-sub-sub domain (maybe too deep one?):
QUESTION
s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net. IN A
ANSWER
Record not found!
QUESTION
s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net. IN AAAA
ANSWER
Record not found!
QUESTION
s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net. IN NS
ANSWER
Record not found!
Hm, is it really a bug at the provider server?
Therefore, may I ask is there any A or AAAA type DNS record defined at Cloudflare dashboard → DNS tab for this sub-sub-sub domain? - as far as I currently checked, none are being found and propagated/resolved on a lookup?
“Check My DNS” is a tool to check DNS server features by “testing your configured resolvers using your browser and special crafted domain names.” Furthermore: “With the special crafted subdomains and the ability to send “wrong” DNS answers it is possible to analyze the functionality and hopefully tell what RFCs the clients DNS resolver infrastructure supports.”
The domain (s0uoq3ph610t95u9cmk1dusttg.cmdns.dev.dns-oarc.net) was just a test generated from the server. It will expire within 24 hours, that’s why you see an NXDOMAIN now. To create a new fresh domain like that, just run the test yourself here using Cloudflare and click on the red bar under “Basic DNS”. I just now did it and was given domain qoqpgqi1556mhd3qik1m1m3fu8.cmdns.dev.dns-oarc.net.. Then I use that domain to check, for example with dig:
Kindly thank you for the explanation as far as I haven’t knew it before until now.
I could agree on that one too as far as I remember once, while using DNSVIZ, on one of my .eu TLD being signed with DNSSEC (domain on Cloudflare), it showed an error, either all the correct settings were applied and DNSSEC was working fine.
That DNSViz thread you sent looked very peculiar indeed and it does seem like a bug on their end. However, looking at the other resolvers (Google, Quad9 and OpenDNS), they seem to all respond with a SERVFAIL. So we could assume that the domain is actually BOGUS.
Was your DNSSEC bug fixed in the end? Perhaps Cloudflare has trouble with recently signed DNSSEC domains. As these test domains of “Check My Dns” are created just at that moment and other domains, like the test here, are signed for quite some time and seem to work fine.
Hm, from different tests, it seems to be ok, but using DNSVIZ it is still the same - “timed out or failed” for nl.dns.eu, so I am not sure if it actually works as it is supposed to.
Hi, the ; OPT=15: 00 02 ("..") in your dig response means that the DS digest algorithm is unsupported (see code 2 in RFC 8914 - Extended DNS Errors) which also means you get an insecure response back (AD flag is missing). This is not the most accurate error code, but the reason for this is the signature length for SEP key is shorter than the expected hash length (which is 256 bits for RSASHA256), so there’s no way to use it verify the record its signing. I agree it would be better to treat it as a bogus than invalid data in this case, I’ll create a ticket to track this.
