DNSSEC failures since this morning

bdeblier · December 8, 2021, 7:20am

Hi,

This morning’s unpleasant surprise: I could no longer resolve any subdomains of ec.europa.eu (nslookup error SERVFAIL); disabling DNSSEC was the only way to get back to work. Verisign DNSSEC analyzer shows that the issue is not with the European Commission’s DNS servers, so I’m assuming that the problem is either in my Turris Omnia [freshly updated and rebooted to re-test], or in the forwarder (I’ve tried Google, CloudFlare, and my ISP’s DNS resolver). Any suggestions on how to diagnose this?

vcunat · December 8, 2021, 9:51am

Maybe with a concrete example? I tried foo.ec.europa.eu and it seems bogus:

foo.ec.europa.eu | DNSViz
kdig foo.ec.europa.eu @1.1.1.1 or 8.8.8.8 or 9.9.9.9, all SERVFAIL

bdeblier · December 8, 2021, 9:56am

Example without dnssec enabled:

bob@orion ~ $ dig myremote.ec.europa.eu

; <<>> DiG 9.16.22 <<>> myremote.ec.europa.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48442
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;myremote.ec.europa.eu.		IN	A

;; ANSWER SECTION:
myremote.ec.europa.eu.	60	IN	A	147.67.46.13
myremote.ec.europa.eu.	60	IN	A	147.67.222.13

;; Query time: 104 msec
;; SERVER: 192.168.55.1#53(192.168.55.1)
;; WHEN: Wed Dec 08 10:54:11 CET 2021
;; MSG SIZE  rcvd: 82

Same domain name with DNSSEC enabled:

bob@orion ~ $ dig myremote.ec.europa.eu

; <<>> DiG 9.16.22 <<>> myremote.ec.europa.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61192
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;myremote.ec.europa.eu.		IN	A

;; Query time: 350 msec
;; SERVER: 192.168.55.1#53(192.168.55.1)
;; WHEN: Wed Dec 08 10:56:09 CET 2021
;; MSG SIZE  rcvd: 50

Configured with CloudFlare as DNS provider in ReForis.

hagrid · December 8, 2021, 10:08am

Hello,
can you please go to Diagnostics and generate a diagnostic report for the DNS and networking subsystem, and put it here?

vcunat · December 8, 2021, 10:08am

No need, it’s easy to reproduce, and I see what exactly is going on.

vcunat · December 8, 2021, 10:14am

Well, the problem boils down to the same origin as the SERVFAIL I posted. europa.eu SOA is not served signed, for whatever reason. So whenever any validator encounters a negative response, it can’t succeed because SOA is mandatory in there.

Now myremote.ec.europa.eu should be OK if you turn off forwarding (works on my Omnia), but Knot Resolver’s forwarding algorithm is unable to avoid some intermediary queries which get negative replies here – so it runs into this SOA bug here and gets stuck.

vcunat · December 8, 2021, 10:25am

I’ll try to contact “them”.

bdeblier · December 8, 2021, 10:26am

I’ll forward your diagnostics to the IT Helpdesk.

bdeblier · December 8, 2021, 1:28pm

EC Helpdesk has made a first attempt to fix the issue, but I’m not seeing any difference on my end.

vcunat · December 8, 2021, 2:02pm

It looks good on my end, even tested Omnia with forwarding. Perhaps some of it was still cached on your forwarder(s)?

system · December 11, 2021, 2:03pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.