Issue with DNS Resolver 1.1.1.1 for domain

Hello guys,

After we enabled DNSSEC at Friday some of our clients who are using 1.1.1.1 or 1.0.0.1 are experiencing issues opening webpages hosted by us. Following “Read me” guide I’m attaching further information. Just to clarify, no such issues with Google DNS. From time to time DNS resolver cache is populated with the entry, but after TTL timeout it take some time to populate the entry in cache again.

dig @1.1.1.1 my.fibank.bg

; <<>> DiG 9.10.6 <<>> @1.1.1.1 my.fibank.bg

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30737

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1452

;; QUESTION SECTION:

;my.fibank.bg. IN A

;; AUTHORITY SECTION:

fibank.bg. 3463 IN SOA gate.fibank.bg. root.fibank.bg. 2020013001 14400 3600 1209600 36000

;; Query time: 3 msec

;; SERVER: 1.1.1.1#53(1.1.1.1)

;; WHEN: Mon Feb 17 15:58:19 EET 2020

;; MSG SIZE rcvd: 87

dig @1.1.1.1 my.fibank.bg

; <<>> DiG 9.10.6 <<>> @1.1.1.1 my.fibank.bg

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30737

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1452

;; QUESTION SECTION:

;my.fibank.bg. IN A

;; AUTHORITY SECTION:

fibank.bg. 3463 IN SOA gate.fibank.bg. root.fibank.bg. 2020013001 14400 3600 1209600 36000

;; Query time: 3 msec

;; SERVER: 1.1.1.1#53(1.1.1.1)

;; WHEN: Mon Feb 17 15:58:19 EET 2020

;; MSG SIZE rcvd: 87

dig +short CHAOS TXT id.server @1.1.1.1
“SOF”

https://dnsviz.net/d/fibank.bg/dnssec/?date=2020-02-14&date_search=Go+»

Hi @yasen.trichkov,

Are you still facing this issue?
Everything seems to be working out fine for me.

dig @1.1.1.1 my.fibank.bg

; <<>> DiG 9.10.6 <<>> @1.1.1.1 my.fibank.bg
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39904
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;my.fibank.bg.			IN	A

;; ANSWER SECTION:
my.fibank.bg.		409	IN	A	193.178.166.36

;; Query time: 43 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Feb 19 02:43:03 -03 2020
;; MSG SIZE  rcvd: 57

dig @1.0.0.1 my.fibank.bg

; <<>> DiG 9.10.6 <<>> @1.0.0.1 my.fibank.bg
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50294
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;my.fibank.bg.			IN	A

;; ANSWER SECTION:
my.fibank.bg.		387	IN	A	193.178.166.36

;; Query time: 40 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Wed Feb 19 02:43:25 -03 2020
;; MSG SIZE  rcvd: 57

Hello, dmz,

We are getting the record but after the TTL expiry there is around 1 minute and 15 seconds during which we are not getting the record:

[email protected] ~ % dig @1.1.1.1 my.fibank.bg +dnssec

; <<>> DiG 9.10.6 <<>> @1.1.1.1 my.fibank.bg +dnssec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25885

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 1452

;; QUESTION SECTION:

;my.fibank.bg. IN A

;; ANSWER SECTION:

my.fibank.bg. 2 IN A 193.178.166.36

my.fibank.bg. 2 IN RRSIG A 8 3 600 20200224132930 20200217122930 19833 fibank.bg. VnBI91M6bOiJSPf0iIBiFAJLNo5iFieRSi8ouJKnfGmMdgkHkFpEVjHa X4sfCyaczgiCMhKxtqPM8M/CSIIUrBbwYzvzMnqvqd8lM5OYKKUICfwM Hz2LulBd4JAADU/rIbv6IohlfOeDuaAXJVcYU/6Yf3QO9nVNeTpoTc2I 5to=

;; Query time: 53 msec

;; SERVER: 1.1.1.1#53(1.1.1.1)

;; WHEN: Wed Feb 19 08:51:52 EET 2020

;; MSG SIZE rcvd: 226

[email protected] ~ % dig @1.1.1.1 my.fibank.bg +dnssec

; <<>> DiG 9.10.6 <<>> @1.1.1.1 my.fibank.bg +dnssec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47255

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 1452

;; QUESTION SECTION:

;my.fibank.bg. IN A

;; ANSWER SECTION:

my.fibank.bg. 1 IN A 193.178.166.36

my.fibank.bg. 1 IN RRSIG A 8 3 600 20200224132930 20200217122930 19833 fibank.bg. VnBI91M6bOiJSPf0iIBiFAJLNo5iFieRSi8ouJKnfGmMdgkHkFpEVjHa X4sfCyaczgiCMhKxtqPM8M/CSIIUrBbwYzvzMnqvqd8lM5OYKKUICfwM Hz2LulBd4JAADU/rIbv6IohlfOeDuaAXJVcYU/6Yf3QO9nVNeTpoTc2I 5to=

;; Query time: 53 msec

;; SERVER: 1.1.1.1#53(1.1.1.1)

;; WHEN: Wed Feb 19 08:51:53 EET 2020

;; MSG SIZE rcvd: 226

[email protected] ~ %

[email protected] ~ % dig @1.1.1.1 my.fibank.bg +dnssec

; <<>> DiG 9.10.6 <<>> @1.1.1.1 my.fibank.bg +dnssec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48319

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 1452

;; QUESTION SECTION:

;my.fibank.bg. IN A

;; AUTHORITY SECTION:

fibank.bg. 2515 IN SOA gate.fibank.bg. root.fibank.bg. 2020013001 14400 3600 1209600 36000

fibank.bg. 2515 IN RRSIG SOA 8 2 3600 20200221144121 20200214134121 19833 fibank.bg. tQ3u9+bK2ADmjxuGUkFpOk6oaGCJpnTT1g9y5Uk2VU3YLnRcVDQsjDrR ySTZ0l/M7f4NhblVo02nQUuTvmTp2l2+UggGBdgZJeYGN5QynQYcAYo0 ZL9ChvAMGxuf0plHrFUIYhaO28eYaKPtXKlxZefc3EZ60HYkcZEOf0Et Ivw=

r7qqgs0a3iecus9798nqnrfb6got45jf.fibank.bg. 9093 IN NSEC3 1 0 1 348445738C428E27 R7QQGS0A3IECUS9798NQNRFB6GOT45JG TXT RRSIG

r7qqgs0a3iecus9798nqnrfb6got45jf.fibank.bg. 9093 IN RRSIG NSEC3 8 3 36000 20200225053706 20200218043706 19833 fibank.bg. d38k69daZyaIeFkiDGSqrxsON8WMT8Vt6y8HuKI8bVtsYs7pOr7h7KxO 7X9NEE+vaE1duqmAxoBYge33jh4DeYBEDRAooTG1sUUlKqFSkjZt0aSw JHiOsO4CBoEhVk8ujQ/hbItfhZmwkmHOx6khGNlF4Vui9xtxCXUUMKaf 3J0=

;; Query time: 53 msec

;; SERVER: 1.1.1.1#53(1.1.1.1)

;; WHEN: Wed Feb 19 08:51:55 EET 2020

;; MSG SIZE rcvd: 512

[email protected] ~ % dig @1.1.1.1 my.fibank.bg +dnssec

; <<>> DiG 9.10.6 <<>> @1.1.1.1 my.fibank.bg +dnssec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24123

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 1452

;; QUESTION SECTION:

;my.fibank.bg. IN A

;; AUTHORITY SECTION:

fibank.bg. 2514 IN SOA gate.fibank.bg. root.fibank.bg. 2020013001 14400 3600 1209600 36000

fibank.bg. 2514 IN RRSIG SOA 8 2 3600 20200221144121 20200214134121 19833 fibank.bg. tQ3u9+bK2ADmjxuGUkFpOk6oaGCJpnTT1g9y5Uk2VU3YLnRcVDQsjDrR ySTZ0l/M7f4NhblVo02nQUuTvmTp2l2+UggGBdgZJeYGN5QynQYcAYo0 ZL9ChvAMGxuf0plHrFUIYhaO28eYaKPtXKlxZefc3EZ60HYkcZEOf0Et Ivw=

vrorgffrb22fb3n2run9lci9m76v15mh.fibank.bg. 10345 IN NSEC3 1 0 1 41B4443EFBC69C3E VRORGFFRB22FB3N2RUN9LCI9M76V15MI TXT RRSIG

vrorgffrb22fb3n2run9lci9m76v15mh.fibank.bg. 10345 IN RRSIG NSEC3 8 3 36000 20200225045436 20200218035436 19833 fibank.bg. Sd7FPEUPs+E8EJLujTv/nxZwX9XxBvsEjwhBfSRtp3txYe1ufv+yqJ/U 86oW117yQM6xPDEVEBILziShofb5bz5QncD50VlUcYrGs5MDsIKOk7F2 T7mtHZNWQdtpUsbiYeZOxH1woXTJBGMaE1A+KiNZ/kfwiSkUK7sN9j3o 6eI=

;; Query time: 62 msec

;; SERVER: 1.1.1.1#53(1.1.1.1)

;; WHEN: Wed Feb 19 08:51:56 EET 2020

;; MSG SIZE rcvd: 512

Any other suggestions?

Hi @yasen.trichkov,

Unfortunately, that goes beyond my knowledge. I hope that some DNSSEC knowledgeable user can help.

It looks like there were some bogus negative responses (NSEC3 records) in your zone. 1,1,1,1 uses Knot resolver which will synthesize not only NXDOMAIN (non existent domain name) errors but also NODATA (no record of that type) negative responses.

Perhaps the bogus (stale?) NSEC3 records have been replaced in your zone and it is all working reliably now, but if not you could try re-signing the records in your zone.