Not all NSEC3 records secure from 1.1.1.1 for DS X while building chain of trust

What is the name of the domain?

sopfeu.qc.ca

Please include test result URL when you create a post in the community forum. Paste the results from → 1.1.1.1 — the Internet’s Fastest, Privacy-First DNS Resolver

What is the error message?

validation failure <sopfeu.qc.ca. A IN>: not all NSEC3 records secure from 1.1.1.1 for DS sopfeu.qc.ca. while building chain of trust

What is the issue you’re encountering

SERVFAIL when using 1.1.1.1 with DNS over TLS for certain websites

What steps have you taken to resolve the issue?

If I change from Cloudflare DNS to any competitor offering DNS over TLS, it works.

What are the steps to reproduce the issue?

  • Setup DNS over TLS with Cloudflare
  • dig sopfeu.qc.ca
  • the problem only happens with certain domains, for others it works correctly
  • my configuration hasn’t changed for the past 2+ years, I started noticing this problem only very recently on websites I regularly interact with

Hi, thanks for reporting the issue.

I’m trying to understand the step: “Setup DNS over TLS with Cloudflare”, sounds like you were using a stub resolver that do DNSSEC validation? If so, may I know what stub resolver software you were using that forwards queries to 1.1.1.1 over DoT? If not a stub resolver, is that a browser or something?

The answers would help us reproduce the potential issue when investigating.

I’m using Unbound on OPNsense. Hope that helps. I toyed a little bit with Unbound settings (was using defaults) for example by unchecking “Harden DNSSEC data” but that didn’t help (when using Cloudflare DNS).

Switched back to 1.1.1.1 after a week and everything is working fine so far. Maybe a glitch in the matrix with the local cache at YUL for Cloudflare? Don’t think the issue was on my side but it’s difficult to test. I didn’t change anything… guess we will never know!

That’s good to know! I hasn’t yet find time to setup an environment like yours to reproduce the issue.

Please let us know if you run into the same problem again.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.