Re: login.authorize.net has A and CNAME records

[Mark Andrews <marka () isc org>]

> On 7 Apr 2021, at 05:59, Arne Jensen <darkdevil () darkdevil dk> wrote:
>
>
> Den 06-04-2021 kl. 21:47 skrev Seth Mattinen:
> > > What kind of local problem or network problems could cause a servfail
> > > response from the authoritative ns?
> >
> >
> >
> > I'm beginning to think this is a DNSSEC related problem, I'll ask on
> > the pdns-users list. I see it's asking for a DS record on
> > login.authorize.net.cdn.cloudflare.net when the nearest one appears to
> > be at cloudflare.net, so for some reason that's not being applied all
> > the way down.
>
> I do somehow take that "local problem" part back again, which also
> wasn't intended exactly in the way that it was written:
>
> ->
> https://dnssec-analyzer.verisignlabs.com/login.authorize.net.cdn.cloudflare.net
>
> Is looking at login.authorize.net.cdn.cloudflare.net/DNSKEY, but failing
> due to the SERVFAIL.
>
> -> https://dnsviz.net/d/login.authorize.net.cdn.cloudflare.net/dnssec/
>
> Seems to claim that it works just fine.
>
> Asking login.authorize.net.cdn.cloudflare.net/DNSKEY or
> login.authorize.net.cdn.cloudflare.net/DS returns SERVFAIL here too.
>
>
> But I don't think you should be querying /DNSKEY or /DS, except a the
> (current) delegation's root, e.g. as you say yourself, at
> "cloudflare.net" in this case.

It shouldn’t matter if you query for them.  If the records don’t exist then
you should get back NOERROR/NODATA responses with NSEC/NSEC3 records to prove
those responses.

Note the server claims that TXT records exist at login.authorize.net.cdn.cloudflare.net
but can’t return them. 


% dig login.authorize.net.cdn.cloudflare.net type65 @198.41.222.31 +dnssec

; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net type65 @198.41.222.31 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1641
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.cdn.cloudflare.net.        IN TYPE65

;; AUTHORITY SECTION:
cloudflare.net.         5       IN      SOA     ns1.cloudflare.net. dns.cloudflare.com. 1617743605 10000 2400 604800 5
login.authorize.net.cdn.cloudflare.net. 5 IN NSEC \000.login.authorize.net.cdn.cloudflare.net. A HINFO MX TXT AAAA LOC 
SRV NAPTR CERT SSHFP RRSIG NSEC TLSA SMIMEA HIP OPENPGPKEY TYPE64 SPF URI CAA
cloudflare.net.         5       IN      RRSIG   SOA 13 2 5 20210407221325 20210405201325 34505 cloudflare.net. 
BfBNcB9zG3T6d7mu5okde144g0OlxBazynPBD78o/ig5y0JHWo+L2ufu mhSfOquAkq6lqa/V+3yySMERlQKcIQ==
login.authorize.net.cdn.cloudflare.net. 5 IN RRSIG NSEC 13 6 5 20210407221325 20210405201325 34505 cloudflare.net. 
+shgKZcdkQZvH9ZFEZvdXyHe7+FkX1mCit9xe4V7A+uEEYi3L7vnf16x Wyvzs0o4TlQiOJlYBG4vEkKE3d8NwQ==

;; Query time: 17 msec
;; SERVER: 198.41.222.31#53(198.41.222.31)
;; WHEN: Wed Apr 07 07:13:25 AEST 2021
;; MSG SIZE  rcvd: 417

% 

% dig login.authorize.net.cdn.cloudflare.net txt @198.41.222.31 +dnssec

; <<>> DiG 9.15.4 <<>> login.authorize.net.cdn.cloudflare.net txt @198.41.222.31 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46557
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.cdn.cloudflare.net.        IN TXT

;; Query time: 15 msec
;; SERVER: 198.41.222.31#53(198.41.222.31)
;; WHEN: Wed Apr 07 07:14:22 AEST 2021
;; MSG SIZE  rcvd: 67

%

> Or if "cdn.cloudflare.net" had been a sub-delegation, then at that point...
>
> -- 
> Med venlig hilsen / Kind regards,
> Arne Jensen

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org