SERVFAIL, CAA and NetSol - oh my!

My domain is: cyberthreatalliance.org and www.cyberthreatalliance.org

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Proprietary (Pantheon hosting)

My hosting provider, if applicable, is: Pantheon

I can login to a root shell on my machine (yes or no, or I don't know): not really...

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Proprietary (Pantheon hosting)

Lovely people, I know you helped me with a similar problem in the past, and it was found to rest on NetSol's shoulders, but I am merely looking for something to give the customer to use as ammo when they call(?) NetSol to ask that this be fixed. Sadly, I am not that versed in reading any of this...

I think that the fact that no CAA appears for either DNSViz (thanks for the trick regarding the advanced settings!) is telling, but I don't know how... :frowning: Can anyone point me toward something I can either give the customer, or something I can point my dull brain at?

As always, thank you so so much!

Kristin

Let's Debug results:

cyberthreatalliance.org

All OK!
OK
No issues were found with cyberthreatalliance.org. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

www.cyberthreatalliance.org

DNSLookupFailed
FATAL
A fatal issue occurred during the DNS lookup process for www.cyberthreatalliance.org/CAA.
DNS response for www.cyberthreatalliance.org had fatal DNSSEC issues: validation failure <www.cyberthreatalliance.org. CAA IN>: nodata proof failed from 162.159.26.110 and 162.159.27.124

DNSViz's DNSSEC viewer, set to CAA only, is blank for both:

cyberthreatalliance.org

www.cyberthreatalliance.org

CAA record lookup (via Google) for both are differrent:

cyberthreatalliance.org:

id 30505, opcode QUERY, rcode NOERROR, flags QR RD RA
;QUESTION
cyberthreatalliance.org. IN CAA
;ANSWER
;AUTHORITY
cyberthreatalliance.org. 1800 IN SOA NS9.WORLDNIC.COM. namehost.WORLDNIC.COM. 122042118 10800 3600 604800 3600
;ADDITIONAL

www.cyberthreatalliance.org

id 4268, opcode QUERY, rcode SERVFAIL, flags QR RD RA
;QUESTION
www.cyberthreatalliance.org. IN CAA
;ANSWER
;AUTHORITY
;ADDITIONAL

Unboundtest.com results for both:

cyberthreatalliance.org

Last lines:
Apr 22 20:12:21 unbound[306927:0] info: validated DNSKEY cyberthreatalliance.org. DNSKEY IN
Apr 22 20:12:21 unbound[306927:0] info: validate(positive): sec_status_secure
Apr 22 20:12:21 unbound[306927:0] info: validation success cyberthreatalliance.org. CAA IN

www.cyberthreatalliance.org

Last lines:
Apr 22 20:13:41 unbound[306931:0] info: reply from <cyberthreatalliance.org.> 162.159.26.110#53
Apr 22 20:13:41 unbound[306931:0] info: query response was nodata ANSWER
Apr 22 20:13:41 unbound[306931:0] info: validate(nodata): sec_status_bogus

You're using Network Solutions as your DNS provider. That's the issue :slight_smile:

2 Likes

But isn't that Cloudflare behind the curtain?

1 Like

Don't overcomplicate it: The problem is just DNS resolution is returning SERVFAIL for CAA queries for www.cyberthreatalliance.org. You could go into more detail like sending the detailed errors that DNSViz shows, but they should (if they know how to run a DNS server, which apparently they don't) be able to just understand that they're sending invalid DNSSEC responses for there not being a CAA record.

Hmm… following those links, I do see a blank screen for the non-www version (which is odd and I haven't seen before), but for the www version I see several errors listed. (Which basically show exactly how they're sending invalid DNSSEC responses.)

  • NSEC proving non-existence of www.cyberthreatalliance.org/CAA: No NSEC RR matches the SNAME (www.cyberthreatalliance.org).
  • NSEC proving non-existence of www.cyberthreatalliance.org/CAA: No NSEC RR matches the SNAME (www.cyberthreatalliance.org).
  • NSEC proving non-existence of www.cyberthreatalliance.org/CAA: The following queries resulted in an answer response, even though the NSEC records indicate that the queried names don't exist: www.cyberthreatalliance.org/A, www.cyberthreatalliance.org/AAAA
  • NSEC proving non-existence of www.cyberthreatalliance.org/CAA: The following queries resulted in an answer response, even though the NSEC records indicate that the queried names don't exist: www.cyberthreatalliance.org/A, www.cyberthreatalliance.org/AAAA

Whois data for worldnic.com show it as being owned by Network Solutions. Maybe Network Solutions is just hosting (or fronting) their infrastructure on Cloudflare? I don't think Cloudflare is really operating the DNS server though, since Cloudflare (usually) knows what they're doing. :slight_smile:

5 Likes

Probably only for CDN.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.