Www.lancaster.ac.uk not resolving (SERVFAIL)

(I’ve had to butcher some domain names in here to work around the limitation that ‘new users can only post 2 links’!)

I’m unable to resolve entries below lancaster.ac.uk via 1.1.1.1:

$ dig www.lancaster.ac.uk @1.1.1.1

; <<>> DiG 9.10.6 <<>> www.lancaster.ac.uk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2225
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.lancaster.ac.uk.		IN	A

;; ANSWER SECTION:
www.lancaster.ac.uk.	43200	IN	CNAME	www.lancs.ac.uk.
www.lancs.ac.uk.	1610	IN	A	148.88.65.80

;; Query time: 50 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Sep 03 22:41:04 BST 2018
;; MSG SIZE  rcvd: 88

Note the status of SERVFAIL. Both lancaster.ac.uk & lancs.ac.uk are dnssec signed, and I believe they are valid - DNSViz seems to be happy:

http://dnsviz.net/d/www.lancaster.ac.uk/dnssec/

& 8.8.8.8 is happy too:

$ dig www.lancaster.ac.uk @8.8.8.8

; <<>> DiG 9.10.6 <<>> www.lancaster.ac.uk @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42527
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.lancaster.ac.uk.		IN	A

;; ANSWER SECTION:
lancaster.ac.uk.	21599	IN	DNAME	lancs.ac.uk.
www.lancaster.ac.uk.	21599	IN	CNAME	www.lancs.ac.uk.
www.lancs.ac.uk.	3599	IN	A	148.88.65.80

;; Query time: 53 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Sep 03 22:50:45 BST 2018
;; MSG SIZE  rcvd: 113

One nuance is that lancaster.ac.uk contains a DNAME record.

Queries for the apex of lancaster.ac.uk are successful:

$ dig lancaster.ac.uk @1.1.1.1

; <<>> DiG 9.10.6 <<>> lancaster.ac.uk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17896
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;lancaster.ac.uk.		IN	A

;; ANSWER SECTION:
lancaster.ac.uk.	2211	IN	A	148.88.65.80

;; Query time: 51 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Sep 03 22:45:26 BST 2018
;; MSG SIZE  rcvd: 60

I note there are similar reports of SERVFAILs when CNAMEs are involved:

These appear to have been magically fixed at the Cloudflare end, but if there is a fault with lancaster.ac.uk I’d like to know so it can be resolved at the origin. (I am [email protected])

1 Like

Someone knowledgeable should verify this, but kresd may not support signed DNAMEs at all.

1 Like

Yes, this is an issue with validating DNAME records. It’s on our to-do list.

2 Likes

I’m noticing this as well. Cloudflare and CleanBrowsing both return SERVFAIL, Google Public DNS and VeriSign DNS resolve correctly.

https://dns.google.com/query?name=www.lancaster.ac.uk&dnssec=true

1 Like

Has this been looked into yet? The site is still unreachable as of today.

1 Like

Is this getting fixed soon?

err_name_not_resolved

In the meantime I switched back to Google DNS. This is not the only domain not resolving with Cloudflare. The performance difference between 1.1.1.1 and 8.8.8.8 in my area is also negligible.

I thought 1.1.1.1 was legit until this. If it can’t resolve actual valid domains then all this stuff they are developing is pointless. What are they expecting us to do, you can’t just switch your router settings back and forth to access websites that they haven’t bothered to implement yet.

Do you know if there are threads about all of them? Or what the issues affecting the other domains are?

1 Like

Necro-ing because it seems to not be fixed. :////

Still waiting to switch from Google to Cloudflare… You got an ETA?

1 Like

For reference, DNAME validation was claimed to be fixed several weeks ago, so I expect these should consistently work now.