_az
October 4, 2023, 8:14am
1
$ dig +short CHAOS TXT id.server @1.1.1.1
"MEL"
Cloudflare failures:
$ dig @1.1.1.1 google.com
; <<>> DiG 9.10.6 <<>> @1.1.1.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27800
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 0a 66 61 69 6c 65 64 20 74 6f 20 76 65 72 69 66 79 20 44 53 20 63 6f 6d 2e ("..failed to verify DS com.")
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 318 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Oct 04 19:09:46 AEDT 2023
;; MSG SIZE rcvd: 69
$ dig @1.0.0.1 twitch.tv
; <<>> DiG 9.10.6 <<>> @1.0.0.1 twitch.tv
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17293
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 03 ("..")
; OPT=15: 00 0a 66 61 69 6c 65 64 20 74 6f 20 76 65 72 69 66 79 20 44 53 20 74 76 2e ("..failed to verify DS tv.")
;; QUESTION SECTION:
;twitch.tv. IN A
;; ANSWER SECTION:
twitch.tv. 30 IN A 151.101.194.167
twitch.tv. 30 IN A 151.101.2.167
twitch.tv. 30 IN A 151.101.66.167
twitch.tv. 30 IN A 151.101.130.167
;; Query time: 15 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Wed Oct 04 19:11:23 AEDT 2023
;; MSG SIZE rcvd: 137
Google is OK:
$ dig @8.8.8.8 google.com
; <<>> DiG 9.10.6 <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33813
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 22 IN A 142.250.70.174
;; Query time: 13 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 04 19:13:07 AEDT 2023
;; MSG SIZE rcvd: 55
1 Like
Seeing these errors as well since 1 hour, some roots like at present a lot of intermittent DNSSEC failures, but it rarely also reproduces on com:
; <<>> DiG 9.18.18 <<>> google.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33599
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 10 (RRSIGs Missing): (failed to verify DS com.)
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 6 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Wed Oct 04 10:33:10 CEST 2023
;; MSG SIZE rcvd: 69
Hi,
This issue is being worked on and reported on our statuspage here:
1 Like
vcunat
October 4, 2023, 11:01am
6
The status is quite vague, so is it related that some instances of 1.1.1.1 are serving signatures that are expired for hours? Example:
dig @1.1.1.1 +dnssec NS . +nsid
; <<>> DiG 9.18.16 <<>> +dnssec +nocr +noclass @1.1.1.1 +dnssec NS . +nsid
;; OPT PSEUDOSECTION:
;; ANSWER SECTION:a.root-servers.net .b.root-servers.net .c.root-servers.net .d.root-servers.net .e.root-servers.net .f.root-servers.net .g.root-servers.net .h.root-servers.net .i.root-servers.net .j.root-servers.net .k.root-servers.net .l.root-servers.net .m.root-servers.net .1004 0500 00 20230921040000 11019 . [omitted]
;; ADDITIONAL SECTION:a.root-servers.net . 511814 A 198.41.0.4a.root-servers.net . 511814 AAAA 2001:503 :ba3e::2:30b.root-servers.net . 511814 A 199.9.14.201b.root-servers.net . 511814 AAAA 2001:500 :200::bc.root-servers.net . 511814 A 192.33.4.12c.root-servers.net . 511814 AAAA 2001:500 :2::cd.root-servers.net . 511814 A 199.7.91.13d.root-servers.net . 511814 AAAA 2001:500 :2d::de.root-servers.net . 511814 A 192.203.230.10e.root-servers.net . 511814 AAAA 2001:500 :a8::ef.root-servers.net . 511814 A 192.5.5.241f.root-servers.net . 511814 AAAA 2001:500 :2f::fg.root-servers.net . 511814 A 192.112.36.4g.root-servers.net . 511814 AAAA 2001:500 :12::d0dh.root-servers.net . 511814 A 198.97.190.53h.root-servers.net . 511814 AAAA 2001:500 :1::53i.root-servers.net . 511814 A 192.36.148.17i.root-servers.net . 511814 AAAA 2001:7fe::53j.root-servers.net . 511814 A 192.58.128.30j.root-servers.net . 511814 AAAA 2001:503 :c27::2:30k.root-servers.net . 511814 A 193.0.14.129k.root-servers.net . 511814 AAAA 2001:7fd::1l.root-servers.net . 511814 A 199.7.83.42l.root-servers.net . 511814 AAAA 2001:500 :9f::42m.root-servers.net . 511814 A 202.12.27.33m.root-servers.net . 511814 AAAA 2001:dc3::35
;; Query time: 5 msec
Which timeframe was this happening and is it still occurring? If it was only during the timeframe on the incident page then it was likely related.
vcunat
October 4, 2023, 2:05pm
8
I had posted it with timestamps. Now I can’t get it return outdated signatures anymore (tried just repeating this single query for now). So hopefully it’s OK.
anb
October 4, 2023, 8:50pm
9
Hi @vcunat and others who’s interested, we have a blog post disclosed more details: 1.1.1.1 lookup failures on October 4th, 2023
3 Likes
system
October 7, 2023, 8:50pm
10
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.