SERVFAIL whilst resolving through DNAME on lancaster.ac.uk

(In September 2018 we reported a similar issue which was later resolved, and the conversation closed in Www.lancaster.ac.uk not resolving (SERVFAIL))

lancaster.ac.uk is a DNSSEC signed zone containing a DNAME record to lancs.ac.uk (also signed).

1.1.1.1 appears unwilling to follow the DNAME and reports SERVFAIL for (eg) www.lancaster.ac.uk:

$ dig a www.lancaster.ac.uk @1.1.1.1

; <<>> DiG 9.10.6 <<>> a www.lancaster.ac.uk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39572
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 06 ("..")
;; QUESTION SECTION:
;www.lancaster.ac.uk.		IN	A

;; Query time: 61 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Oct 20 15:05:43 BST 2021
;; MSG SIZE  rcvd: 54

Resolution via Google DNS is successful:

$ dig a www.lancaster.ac.uk @8.8.8.8

; <<>> DiG 9.10.6 <<>> a www.lancaster.ac.uk @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59357
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.lancaster.ac.uk.		IN	A

;; ANSWER SECTION:
lancaster.ac.uk.	21335	IN	DNAME	lancs.ac.uk.
www.lancaster.ac.uk.	21335	IN	CNAME	www.lancs.ac.uk.
www.lancs.ac.uk.	3335	IN	A	148.88.65.80

;; Query time: 63 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Oct 20 15:20:24 BST 2021
;; MSG SIZE  rcvd: 113

Returning to 1.1.1.1, if I request that DNSSEC validation is not performed, resolution is successful:

$ dig +cd a www.lancaster.ac.uk @1.1.1.1

; <<>> DiG 9.10.6 <<>> +cd a www.lancaster.ac.uk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33274
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.lancaster.ac.uk.		IN	A

;; ANSWER SECTION:
lancaster.ac.uk.	43200	IN	DNAME	lancs.ac.uk.
www.lancaster.ac.uk.	43200	IN	CNAME	www.lancs.ac.uk.
www.lancs.ac.uk.	3600	IN	A	148.88.65.80

;; Query time: 64 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Oct 20 15:11:36 BST 2021
;; MSG SIZE  rcvd: 102

and yet queries for the apex of lancaster.ac.uk are successful without disabling dnssec validation, so the DNSSEC signatures on lancaster.ac.uk appear to be acceptable (and dnsviz (https://dnsviz.net/d/lancaster.ac.uk/) has no complaints):

$ dig a lancaster.ac.uk @1.1.1.1

; <<>> DiG 9.10.6 <<>> a lancaster.ac.uk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35171
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;lancaster.ac.uk.		IN	A

;; ANSWER SECTION:
lancaster.ac.uk.	73	IN	A	148.88.65.80

;; Query time: 60 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Oct 20 15:06:47 BST 2021
;; MSG SIZE  rcvd: 60

I notice there were recently issues with CNAMEs between (signed?) zones in
1.1.1.1 SERVFAIL resolving deptapps.coe.berkeley.edu - #4 by mvavrusa - perhaps related since the DNAME processing involves a generated CNAME.

Sorry about that, I can see some names are not validating, I’ll take a look why.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.