Kresd + Cloudflare (TLS) + DNSSEC: "dig www.cssz.cz" gives SERVFAIL

networ · November 4, 2021, 12:00pm

Being a long-time happy TO user, I noticed a strange issue with a particular website: www.cssz.cz. Web browsers say the server is not found, while other domains/websites work flawlessly.

The setup is pretty basic: TurrisOS 5.2.7 on Turris Omnia, LTE uplink (IPv4 only), NAT, clients connected mostly over Wi-Fi. DNS: kresd set to forward requests to Cloudflare (TLS), DNSSEC validation enabled. I think this is the default config, just a different remote resolver is selected in reForis.

To diagnose, I did a quick digging around – we get the correct A record, but SERVFAIL flag is present: [LOG1 link in the post below]

Enabling verbose logging with
# socat - /tmp/kresd/control/*
> verbose(true)
gives the following: [LOG2 link in the second post]

Asking Cloudflare’s resolver directly (dig @1.1.1.1 www.cssz.cz) or NIC.CZ’s resolver (dig @193.17.47.1 www.cssz.cz) succeeds. I read both use kresd internally.

Disabling DNSSEC validation in reForis DNS settings makes the problem go away, but is not a good solution.
Also making a hotspot on a mobile phone and connecting over that works well (using ISP’s resolvers - whatever they are).

I highly suspect the problem is on the other end – with cssz’s DNS/DNSSEC records (like in a few other threads on this forum). Also their TTL of just 5 seconds feels uncommon.
Some “red things” show up when entering the domain name to this DNSSEC analyzer, but I would prefer someone more knowledgable to verify if I need to fix something, or if the issue should be reported to them.

Thanks for your input!

networ · November 4, 2021, 12:01pm

(The “Sorry, new users can only put 2 links in a post.” rule is annoying.)

Here are the links:
LOG1: $ dig www.cssz.cz; <<>> DiG 9.10.6 <<>> www.cssz.cz;; global options: +cmd - Pastebin.com
LOG2: Nov 3 21:25:14 to kresd[27449]: [00000.00][plan] plan 'www.cssz.cz.' type 'A' u - Pastebin.com

vcunat · November 5, 2021, 10:49am

As you might see in the log, the problem comes from Cloudflare returning SERVFAIL (on an intermediate query):

dig @1.1.1.1 NS www.cssz.cz

; <<>> DiG 9.16.16 <<>> +dnssec +nocr +noclass @1.1.1.1 NS www.cssz.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49780
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 22 (No Reachable Authority)
;; QUESTION SECTION:
;www.cssz.cz.           IN      NS

;; Query time: 31 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Nov 05 11:48:05 CET 2021
;; MSG SIZE  rcvd: 46

vcunat · November 5, 2021, 10:59am

I forwarded the issue to them: SERVFAIL on www.cssz.cz NS - 1.1.1.1 - Cloudflare Community

vcunat · November 8, 2021, 8:56am

CloudFlare changed to be more permissive (for cssz errors), so this appears to work now.

system · November 21, 2021, 10:35pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.