Www.lancaster.ac.uk not resolving (SERVFAIL)


#1

(I’ve had to butcher some domain names in here to work around the limitation that ‘new users can only post 2 links’!)

I’m unable to resolve entries below lancaster.ac.uk via 1.1.1.1:

$ dig www.lancaster.ac.uk @1.1.1.1

; <<>> DiG 9.10.6 <<>> www.lancaster.ac.uk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2225
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.lancaster.ac.uk.		IN	A

;; ANSWER SECTION:
www.lancaster.ac.uk.	43200	IN	CNAME	www.lancs.ac.uk.
www.lancs.ac.uk.	1610	IN	A	148.88.65.80

;; Query time: 50 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Sep 03 22:41:04 BST 2018
;; MSG SIZE  rcvd: 88

Note the status of SERVFAIL. Both lancaster.ac.uk & lancs.ac.uk are dnssec signed, and I believe they are valid - DNSViz seems to be happy:

http://dnsviz.net/d/www.lancaster.ac.uk/dnssec/

& 8.8.8.8 is happy too:

$ dig www.lancaster.ac.uk @8.8.8.8

; <<>> DiG 9.10.6 <<>> www.lancaster.ac.uk @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42527
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.lancaster.ac.uk.		IN	A

;; ANSWER SECTION:
lancaster.ac.uk.	21599	IN	DNAME	lancs.ac.uk.
www.lancaster.ac.uk.	21599	IN	CNAME	www.lancs.ac.uk.
www.lancs.ac.uk.	3599	IN	A	148.88.65.80

;; Query time: 53 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Sep 03 22:50:45 BST 2018
;; MSG SIZE  rcvd: 113

One nuance is that lancaster.ac.uk contains a DNAME record.

Queries for the apex of lancaster.ac.uk are successful:

$ dig lancaster.ac.uk @1.1.1.1

; <<>> DiG 9.10.6 <<>> lancaster.ac.uk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17896
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;lancaster.ac.uk.		IN	A

;; ANSWER SECTION:
lancaster.ac.uk.	2211	IN	A	148.88.65.80

;; Query time: 51 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Sep 03 22:45:26 BST 2018
;; MSG SIZE  rcvd: 60

I note there are similar reports of SERVFAILs when CNAMEs are involved:

These appear to have been magically fixed at the Cloudflare end, but if there is a fault with lancaster.ac.uk I’d like to know so it can be resolved at the origin. (I am [email protected])


#2

Someone knowledgeable should verify this, but kresd may not support signed DNAMEs at all.


#3

Yes, this is an issue with validating DNAME records. It’s on our to-do list.