Netcup Bug Our company's domain from time to time not indexed by cloudflare DNS

What is the name of the domain?

roterobben.de

Please include test result URL when you create a post in the community forum. Paste the results from → 1.1.1.1 — the Internet’s Fastest, Privacy-First DNS Resolver

What is the error number?

Server DNS address could not be found

What is the error message?

Server DNS address could not be found

What is the issue you’re encountering

From time to time our domain becomes unreachable from devices using cloudflare DNS

What steps have you taken to resolve the issue?

Checked the entry with nslookup and dnschecker. No issues on Google DNS, OpenDNS etc.

What are the steps to reproduce the issue?

Try to access our domain from a device using 1.1.1.1 or using a service like dnschecker.org

There’s something not quite right in your DNSSEC. Both 1.1.1.1 and 8.8.8.8 are picking it up, 1.1.1.1 as a result does not answer, but 8.8.8.8 still does.

It only shows as a warning on the checkers…
https://dnssec-debugger.verisignlabs.com/roterobben.de
https://dnsviz.net/d/roterobben.de/dnssec/

dig roterobben.de @1.1.1.1

; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> roterobben.de @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21902
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 6 (DNSSEC Bogus): (for DNSKEY roterobben.de., id = 24071)
;; QUESTION SECTION:
;roterobben.de.			IN	A

;; Query time: 99 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Mon Jul 15 14:57:07 UTC 2024
;; MSG SIZE  rcvd: 85
dig roterobben.de @8.8.8.8

; <<>> DiG 9.18.24-0ubuntu0.22.04.1-Ubuntu <<>> roterobben.de @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37928
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 6 (DNSSEC Bogus): (RRSIG with malformed signature found for roterobben.de/dnskey (keytag=24071))
;; QUESTION SECTION:
;roterobben.de.			IN	A

;; ANSWER SECTION:
roterobben.de.		10	IN	A	95.156.230.120

;; Query time: 67 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Mon Jul 15 14:57:21 UTC 2024
;; MSG SIZE  rcvd: 140
3 Likes

Hi, I don’t know why 8.8.8.8 returns an authenticated (with AD bit) result in this case, but from what I can tell, DNSVIZ also reports the same error after updated the report (it was serving a report created in April): roterobben.de | DNSViz

4 Likes

Hi @sjr and @Hunts,

Thank you very much for your input, this helped a lot.
After after consultation with customer service, this is in fact a bug on Netcup’s side (context[German])

TLDR: They are working on it and the reworked DNS-System should go live in q4 2024. Until then as a Netcup-customer you can try to deactivate DNSSEC wait 10 minutes and activate it again. Which will give you around 2 months without issues, it seems.

1 Like

Maybe a mod can adapt the title so that other Netcup customers can find this easier.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.