SERVFAIL looking up CAA, but I see NOERROR myself

Are the other 160 domains using the same authoritative DNS servers, with DNSSEC enabled?

I’m not clear why, but Unbound appears to think they’re behaving improperly.

https://unboundtest.com/m/CAA/m.auditcenter.hu/K27MGN5E

Aug 01 18:10:51 unbound[27014:0] info: validator operate: query m.auditcenter.hu. CAA IN
Aug 01 18:10:51 unbound[27014:0] debug: verify: signature mismatch
Aug 01 18:10:51 unbound[27014:0] info: validator: response has failed AUTHORITY rrset: m.auditcenter.hu. NSEC IN
Aug 01 18:10:51 unbound[27014:0] info: Validate: message contains bad rrsets

Edit:

It appears to be related to capitalized negative responses (e.g. for AAAA as well) and not particularly CAA. I might speculate that it’s the PowerDNS bug fixed in version 4.0.4, but the servers strangely respond to version queries with SERVFAIL, and i’m not knowledgeable enough to otherwise be sure.

No, they are using around 100 nameservers (their owners and registrators are different). I only have the SERVFAIL problem with this one, but cannot reproduce the error message neither with the host nor with the dig command line utility.

Send a query to a resolver that validates DNSSEC, for a record set that doesn’t exist, ensuring some of it is capitalized.

(Let’s Encrypt and https://unboundtest.com/ are configured to always use random capitalization (so-called 0x20 randomization) for security purposes, and to validate DNSSEC, exposing problems like this more often than many other resolvers.)

$ dig Auditcenter.Hu aaaa @publicdns.goog

; <<>> DiG 9.10.3-P4-Ubuntu <<>> Auditcenter.Hu aaaa @publicdns.goog
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60292
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;Auditcenter.Hu.                        IN      AAAA

;; Query time: 344 msec
;; SERVER: 2001:4860:4860::8844#53(2001:4860:4860::8844)
;; WHEN: Tue Aug 01 18:36:11 UTC 2017
;; MSG SIZE  rcvd: 43

Similar to this other thread, all signs point to your nameservers running PowerDNS <4.0.3, with “version-string=anonymous” hiding the version (@sahsanu reports that setting can cause version.bind txt ch queries to return SERVFAIL). I would recommend asking your DNS operator to upgrade to version 4.0.4 or above as soon as possible, since all of their customers will have this problem.

Finally my provider rolled out an update to their DNS platform and this seems to have fixed the problem. They still haven’t disclosed whether or not they are using PowerDNS.

Thanks for all your assistance!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.