SERVFAIL responses from .win TLD nameservers?

Is anyone else getting SERVFAIL errors against Cloudflare hosted zones today? I'm messing around with certs on a test domain, poshacme.win (which does not have DNSSEC enabled) and all my dns-01 challenge validations are returning SERVFAIL errors today where normally they work just fine.

Unboundtest seems to confirm the issue. But normal dig queries from my local machine against eva.ns.cloudflare.com or rob.ns.cloudflare.com seem to work just fine.

2 Likes

Ok weird. I'm testing against another one of my domains on the same account and it works just fine. This might be something weird with just that zone. Though I can't imagine what the problem might be.

2 Likes

Looking closer at the Unboundtest response. I think this might be an issue specifically with the .win TLD nameservers and not Cloudflare? Am I reading that right?

Query results for A poshacme.win

Response:
;; opcode: QUERY, status: SERVFAIL, id: 15400
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;poshacme.win.	IN	 A

----- Unbound logs -----
May 06 19:47:05 unbound[1407279:0] notice: init module 0: validator
May 06 19:47:05 unbound[1407279:0] notice: init module 1: iterator
May 06 19:47:05 unbound[1407279:0] info: start of service (unbound 1.12.0).
May 06 19:47:06 unbound[1407279:0] info: 127.0.0.1 poshacme.win. A IN
May 06 19:47:06 unbound[1407279:0] info: resolving poshacme.win. A IN
May 06 19:47:06 unbound[1407279:0] info: priming . IN NS
May 06 19:47:06 unbound[1407279:0] info: response for . NS IN
May 06 19:47:06 unbound[1407279:0] info: reply from <.> 199.9.14.201#53
May 06 19:47:06 unbound[1407279:0] info: query response was ANSWER
May 06 19:47:06 unbound[1407279:0] info: priming successful for . NS IN
May 06 19:47:07 unbound[1407279:0] info: response for poshacme.win. A IN
May 06 19:47:07 unbound[1407279:0] info: reply from <.> 199.7.83.42#53
May 06 19:47:07 unbound[1407279:0] info: query response was REFERRAL
May 06 19:47:10 unbound[1407279:0] info: Capsforid: timeouts, starting fallback
May 06 19:47:13 unbound[1407279:0] info: response for poshacme.win. A IN
May 06 19:47:13 unbound[1407279:0] info: reply from <win.> 156.154.156.182#53
May 06 19:47:13 unbound[1407279:0] info: Capsforid: reply is equal. go to next fallback
May 06 19:47:29 unbound[1407279:0] info: response for poshacme.win. A IN
May 06 19:47:29 unbound[1407279:0] info: reply from <win.> 156.154.157.182#53
May 06 19:47:29 unbound[1407279:0] info: Capsforid: reply is equal. go to next fallback
1 Like

I'm ill-equipped to assist much here, but hoping I can learn something. Hopefully someone will be along shortly who will be able to contribute. I know _az has experience in this area.


FWIW, Google dig is also failing lookups for poshacme.win completely.


DNSViz seems to indicate some issues:

https://dnsviz.net/d/poshacme.win/dnssec/

Hi @rmbolger

yes, then Cloudflare name servers are ok, but the win name servers are fatal - see https://check-your-website.server-daten.de/?q=poshacme.win

X Fatal error: Nameserver doesn't support TCP connection: ns1.dns.nic.win: Timeout

The timeout checking Echo Capitalization -> Unboundtest says, that's a Servfail, so that blocks creating Letsencrypt certificates.

Normally, authoritative name servers don't have such fatal configurations.

But it looks like a temporary problem. See one older check - 2021-04-20 - https://check-your-website.server-daten.de/?q=isglo.win

2021-05-06.poshacme.win.3

That's the expected result.

3 Likes

Thanks @JuergenAuer. Good to get confirmation that it's not just something dumb I did. Unfortunate that it's a problem at the TLD level. I guess that's what I get for buying test domains from $1 TLDs? I used to only have trouble like this with Freenom stuff.

2 Likes

Looks like whatever they broke is fixed now as well. Unboundtests are succeeding again and so are my cert validations.

1 Like

But it's not a problem of the domain registrar.

It's a problem of the TLD zone win.

A TLD zone should never send such results.

PS: My dns provider inwx.de has also .win domains - poshacmetest.win - 33,29 € - https://www.inwx.com/en/domain/check#search=poshacmetest.win#region=DEFAULT#rc=rc1

1 Like

I'm still seeing a bunch of errors with DNS Viz.

Admittedly I wish I were a lot more knowledgeable in this area. It's something I really want to sit down and study when I have the time. Perhaps @JuergenAuer has a better idea of the impact/significance of these errors/warnings and if/how they match up to the results of his own tools.

I can't be certain (don't have the time to confirm it)...
But it might be related to recent BIND vulnerabilities:
BIND 9 Security Vulnerability Matrix - Security Advisories (isc.org)

Too busy trading crypto (for :beer:)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.