Www.maybank2e.com doesn't resolve on 1.1.1.1 with SERVFAIL error

Relevant tests and outputs below:

$ dig www.maybank2e.com @1.1.1.1

; <<>> DiG 9.18.1 <<>> www.maybank2e.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62098
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (time limit exceeded)
;; QUESTION SECTION:
;www.maybank2e.com.		IN	A

;; Query time: 6 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Apr 19 16:46:11 +08 2022
;; MSG SIZE  rcvd: 71
$ dig www.maybank2e.com @1.0.0.1

; <<>> DiG 9.18.1 <<>> www.maybank2e.com @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55464
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (time limit exceeded)
;; QUESTION SECTION:
;www.maybank2e.com.		IN	A

;; Query time: 6 msec
;; SERVER: 1.0.0.1#53(1.0.0.1) (UDP)
;; WHEN: Tue Apr 19 16:46:36 +08 2022
;; MSG SIZE  rcvd: 71
$ dig www.maybank2e.com @8.8.8.8

; <<>> DiG 9.18.1 <<>> www.maybank2e.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29352
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.maybank2e.com.		IN	A

;; ANSWER SECTION:
www.maybank2e.com.	2	IN	CNAME	e3dnkth.x.incapdns.net.
e3dnkth.x.incapdns.net.	3	IN	A	45.60.126.208

;; Query time: 13 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Apr 19 16:46:59 +08 2022
;; MSG SIZE  rcvd: 98
$ dig +short CHAOS TXT id.server @1.1.1.1
"KUL"
$ dig +short CHAOS TXT id.server @1.0.0.1
"KUL"

Prefer not to share my ip, sorry about that :pray:

Do let me know if there’s any other info I can share.

Thanks!

I’ll ping the DNS wizards for you @mvavrusa @milk

1 Like

One of the nameservers on that domain (EXTDNS2.MAYBANK.COM.MY) seems not to resolve, not sure if that has anything to do with it.

1 Like

Seems to be an issue with one of the domain’s nameservers not existing in DNS (specifically extdns2.maybank.com.my) which also causes a DNSSEC failure.

; EDE: 1 (Unsupported DNSKEY Algorithm): (failed to verify e3dnkth.x.incapdns.net. A: unsupported key size, DNSKEY incapdns.net., id = 51528)
; EDE: 22 (No Reachable Authority): (time limit exceeded)

The domain has 3 nameservers.

maybank2e.com.		172800	IN	NS	extdns.maybank.com.my.
maybank2e.com.		172800	IN	NS	extdns2.maybank.com.my.
maybank2e.com.		172800	IN	NS	extdns3.maybank.com.my.

extdns2.maybank.com.my doesn’t resolve to anything and during the DNSSEC chain lookup, it causes a failure.

maybank2e.com zone: The following NS name(s) did not resolve to address(es): extdns2.maybank.com.my

com to maybank2e.com: The following NS name(s) were found in the delegation NS RRset (i.e., in the com zone), but not in the authoritative NS RRset: extdns2.maybank.com.my

https://dnsviz.net/d/maybank2e.com/dnssec/

1 Like

Primary name server in the SOA… “maybank.gridmaster”, what’s that supposed to mean,?

Also, extdns2.maybank.com.my is MIA

Thanks a bunch for debugging this. So am I right that extdns2.maybank.com.my being missing is causing DNSSEC errors which is then what is causing 1.1.1.1 to not return the record due to the failure to verify the DNSSEC chain?

This is the corporate banking portal my business uses and noticed recently they’ve been not reachable on my home network which uses 1.1.1.1 . That being said, noticed that 8.8.8.8 happily returns the ip address of the server.

Just curious, in this case, is 8.8.8.8’s behaviour correct or is 1.1.1.1?

Side note, will be submitting the above in an email to bank IT support :rofl: Let’s see how long it takes for them to fix it.

So, a weird development:

1.1.1.1 is now returning an IP for www.maybank2e.com but extdns2.maybank.com.my still seems to be offline

$ dig www.maybank2e.com @1.1.1.1

; <<>> DiG 9.18.1 <<>> www.maybank2e.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6428
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 1 (Unsupported DNSKEY Algorithm): (failed to verify e3dnkth.x.incapdns.net. A: unsupported key size, DNSKEY incapdns.net., id = 51528)
;; QUESTION SECTION:
;www.maybank2e.com.		IN	A

;; ANSWER SECTION:
www.maybank2e.com.	35	IN	CNAME	e3dnkth.x.incapdns.net.
e3dnkth.x.incapdns.net.	15	IN	A	45.60.126.208

;; Query time: 10 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Apr 19 22:29:02 +08 2022
;; MSG SIZE  rcvd: 202

Why would it be working again now if nothing seems to have changed?

Run it enough times & it might not timeout when trying to query the AWOL nameserver.

If it times out, you get ; EDE: 22 (No Reachable Authority): (time limit exceeded).

If it doesn’t, you get ; EDE: 1 (Unsupported DNSKEY Algorithm): (failed to verify e3dnkth.x.incapdns.net. A: unsupported key size, DNSKEY incapdns.net., id = 51528) and the records back.

As for the nitty-gritty technical details as to how closely the resolvers follow the specs, or which flags they use by default for queries, I’m not sure if that’s documented anywhere.

The nameservers are in maybank.com.my, which has this NS set at the registry:

;; AUTHORITY SECTION:
maybank.com.my.     	86400	IN	NS	extdns2.maybank.com.my.
maybank.com.my.     	86400	IN	NS	ns1-122.akam.net.
maybank.com.my.     	86400	IN	NS	extdns.maybank.com.my.
maybank.com.my.     	86400	IN	NS	ns1-61.akam.net.
maybank.com.my.     	86400	IN	NS	asia2.akam.net.

;; ADDITIONAL SECTION:
extdns.maybank.com.my.	86400	IN	A	202.162.17.34
extdns2.maybank.com.my.	86400	IN	A	203.153.92.36

And the extdns2.maybank.com.my doesn’t work as you have noticed, so if your query is unlucky to pick it it’s most likely not going to work, but retry should work again. I’ll make a ticket to see if we can improve this without negatively impacting the resolution times.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.