Kresd + Cloudflare (TLS) + DNSSEC: "dig" gives SERVFAIL

Being a long-time happy TO user, I noticed a strange issue with a particular website: Web browsers say the server is not found, while other domains/websites work flawlessly.

The setup is pretty basic: TurrisOS 5.2.7 on Turris Omnia, LTE uplink (IPv4 only), NAT, clients connected mostly over Wi-Fi. DNS: kresd set to forward requests to Cloudflare (TLS), DNSSEC validation enabled. I think this is the default config, just a different remote resolver is selected in reForis.

To diagnose, I did a quick digging around – we get the correct A record, but SERVFAIL flag is present: [LOG1 link in the post below]

Enabling verbose logging with
# socat - /tmp/kresd/control/*
> verbose(true)
gives the following: [LOG2 link in the second post]

Asking Cloudflare’s resolver directly (dig @ or NIC.CZ’s resolver (dig @ succeeds. I read both use kresd internally.

Disabling DNSSEC validation in reForis DNS settings makes the problem go away, but is not a good solution.
Also making a hotspot on a mobile phone and connecting over that works well (using ISP’s resolvers - whatever they are).

I highly suspect the problem is on the other end – with cssz’s DNS/DNSSEC records (like in a few other threads on this forum). Also their TTL of just 5 seconds feels uncommon.
Some “red things” show up when entering the domain name to this DNSSEC analyzer, but I would prefer someone more knowledgable to verify if I need to fix something, or if the issue should be reported to them.

Thanks for your input!

(The “Sorry, new users can only put 2 links in a post.” rule is annoying.)

Here are the links:
LOG1: $ dig; <<>> DiG 9.10.6 <<>>;; global options: +cmd -
LOG2: Nov 3 21:25:14 to kresd[27449]: [00000.00][plan] plan '' type 'A' u -

As you might see in the log, the problem comes from Cloudflare returning SERVFAIL (on an intermediate query):

dig @ NS

; <<>> DiG 9.16.16 <<>> +dnssec +nocr +noclass @ NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49780
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 1232
; EDE: 22 (No Reachable Authority)
;           IN      NS

;; Query time: 31 msec
;; WHEN: Fri Nov 05 11:48:05 CET 2021
;; MSG SIZE  rcvd: 46

I forwarded the issue to them: SERVFAIL on NS - - Cloudflare Community

CloudFlare changed to be more permissive (for cssz errors), so this appears to work now.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.