kdig @22.214.171.124 NS www.cssz.cz +nsid ;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 49097 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR ;; NSID: 33316D3533 "31m53" ;; EDE: 22 (No Reachable Authority) ;; QUESTION SECTION: ;; www.cssz.cz. NS ;; Received 55 B ;; Time 2021-11-05 11:55:32 CET ;; From [email protected](UDP) in 23.2 ms
It’s not like their authoritative servers behave ideally, but I haven’t noticed any real reason for SERVFAIL and e.g. our Knot Resolver instances have no issues when resolving this directly (without forwarding through CloudFlare).
The problem seems to be consistent. Practical issues happen when forwarding to CloudFlare with QNAME minimization.