Score:0

Suddenly dig +nocmd pop3.pauperis.org aaaa +noall +answer returns nothing

cn flag

the command dig +nocmd pop3.pauperis.org aaaa +noall +answer returns the followingin my laptop:

pop3.pauperis.org.  3111    IN  CNAME   pauperis.org.
pauperis.org.       3111    IN  AAAA    2001:41d0:1:8ade::1

but the same command on my server, suddenly, after no apparent config change returns nothing:

# dig +nocmd pop3.pauperis.org aaaa +noall +answer
#

This is the response on my server but with +trace option:

dig +nocmd pop3.pauperis.org aaaa +noall +answer +trace
.           44679   IN  NS  e.root-servers.net.
.           44679   IN  NS  m.root-servers.net.
.           44679   IN  NS  l.root-servers.net.
.           44679   IN  NS  b.root-servers.net.
.           44679   IN  NS  g.root-servers.net.
.           44679   IN  NS  i.root-servers.net.
.           44679   IN  NS  a.root-servers.net.
.           44679   IN  NS  d.root-servers.net.
.           44679   IN  NS  h.root-servers.net.
.           44679   IN  NS  f.root-servers.net.
.           44679   IN  NS  j.root-servers.net.
.           44679   IN  NS  k.root-servers.net.
.           44679   IN  NS  c.root-servers.net.
.           44679   IN  RRSIG   NS 8 0 518400 20220316050000 20220303040000 9799 . WHZ//zKcRc0aFze+haFiC5a0GwaCwCsopDkMLzMZrOTTvejeb96R01h+ 2mlnsd4qivrbop0a7fBz+Vs/m+YVOPku+vCO/fnZ+NW/KgrtXpHoPopE WayXrfwtEC+Iu/G7gD1bePIhXqeEMSYlfLD84g7ezASeXc4q3Yrfw3+s SnKkG/vwlZ3IFcSw90bqyYoV597fRLZYdEoUzDjp9onU/NcwqmWJ6muV Ms2IO7kHTaUfMO7z6mgf5PGC2ylTywz+4WZLFd6t8QvZypEMGFwPSxJ2 W86Sdh2QJSDznW3V5CFW3tW+59ZzKsJHuGlHTwqem+egipZMXoMW9y+F 08ZVlg==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

org.            172800  IN  NS  b2.org.afilias-nst.org.
org.            172800  IN  NS  a2.org.afilias-nst.info.
org.            172800  IN  NS  d0.org.afilias-nst.org.
org.            172800  IN  NS  a0.org.afilias-nst.info.
org.            172800  IN  NS  b0.org.afilias-nst.org.
org.            172800  IN  NS  c0.org.afilias-nst.info.
org.            86400   IN  DS  26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32
org.            86400   IN  RRSIG   DS 8 1 86400 20220321170000 20220308160000 9799 . m3lulShGydigMRJiRixpAFeO9YBBkntgr2Gk42/sts9JLeGVavWmrAyd 5uFDMPf+DqWjgz65BCR1kipEpJAbETmqiwf17rrk9yDIXYGDfrdv04tg w5+4LjANeRzCqr9CH2FFokRt5cl2AdCSn2kNonndSM72Zfhots5ggn8G nTXyt3Aj3Hg4xagS1ZqPhodM15r95NVWw4ozPywSt76vI/oOgEBF6ckw Hz9AEg5i4MdSoLTwiT9fLE51KfiJQO6Xfp8ZANUFtwrydLb0pqJtXMbC BoJnhXjyjWzlOA5/ze5PR3nCh7tbtbTdxdowiB2Jrc3j5Cirfw7dAske TAjiiQ==
;; Received 817 bytes from 192.36.148.17#53(i.root-servers.net) in 3 ms

pauperis.org.       86400   IN  NS  ns111.ovh.net.
pauperis.org.       86400   IN  NS  dns111.ovh.net.
pauperis.org.       86400   IN  DS  18975 7 2 9CE6DA2D7883298D589BDBD5DFD29BB76FB24329C12B453A055F06F6 4EEC0C0C
pauperis.org.       86400   IN  RRSIG   DS 8 2 86400 20220322152315 20220301142315 30573 org. mE8EiULvqr8ZBCDb6rQnXHlxVoZtaTzbLjMtRi9w2jyGYYcKbX0m8N7R +b4NmqrsiQa7nz3DBbDDwt8IbXZfEIqVmGLJrx7Gp+uMDECa54mz06kG Xz1LWb6j/B6CA+1+fa+MyDBJt7A6inBLZQix8Fr9xkWRYznsQqyeeHnW YYo=
;; Received 305 bytes from 199.19.57.1#53(d0.org.afilias-nst.org) in 83 ms

pop3.pauperis.org.  3600    IN  CNAME   pauperis.org.
pop3.pauperis.org.  3600    IN  RRSIG   CNAME 8 3 3600 20220403112323 20220304112323 37698 pauperis.org. OhXaHFQ1xfLU2T3zjUIBpKsW6k62NZVlnCf4aQKUhbtDcVTGbWDNbwo7 MkpsDh2zpwG3vIqzqdw9t0Uuq7A1U+TDH0SetnBDVvlR1dNNZRbEiWBd C1dJiNuItE37iDNexAebRBvSnM/9hfjDUwDaX7Q78iQS836gxkTSV/g7 Bys=
pauperis.org.       3600    IN  AAAA    2001:41d0:1:8ade::1
pauperis.org.       3600    IN  RRSIG   AAAA 8 2 3600 20220403112323 20220304112323 37698 pauperis.org. dZP/Vxls3u1x8lMQ4A4NULX/UMrf7M+YkBNim4pJ/O9qkHCHn3N19Fku JciU5LCsWd4dw856ejt6CLBDy1c5RSADfrP+q3O3x9kstsgrH+Wf0pP8 cU2y/mTJRSQWPp+6jBUITshXJvcuV+XFpHeA931570XelUGN7ZuEStzD COc=
;; Received 432 bytes from 2001:41d0:1:4a9b::1#53(dns111.ovh.net) in 3 ms

Could someone tell what could be going wrong?

Thank you so much in advanced :)

Score:1
cn flag

See https://dnsviz.net/d/pop3.pauperis.org/YifJYQ/dnssec/ this name has huge DNSSEC misconfiguration (typical case of mismatch of DS record at parent aka registry, and the DNSKEY records found in child). This needs to be solved before the whole domain works correctly.

Easy to spot also by comparing a normal answer through a validating resolver (hence with DNSSEC validation) and then explicitly forbidding DNSSEC validation:

$ dig pop3.pauperis.org @9.9.9.9

; <<>> DiG 9.18.0 <<>> pop3.pauperis.org @9.9.9.9
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39260
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c145784edda54901
;; QUESTION SECTION:
;pop3.pauperis.org. IN A

;; QUERY SIZE: 58

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39260
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 9 (DNSKEY Missing)

SERVFAIL can be a lot of things but DNSSEC fatal errors are always SERVFAIL error code, and then note in passing the Extended DNS Error: DNSKEY Missing .

And then the same bypassing DNSSEC (thanks to dig +cd flag):

$ dig pop3.pauperis.org @9.9.9.9 +cd

; <<>> DiG 9.18.0 <<>> pop3.pauperis.org @9.9.9.9 +cd
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1480
;; flags: rd ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c028e114f2c210f8
;; QUESTION SECTION:
;pop3.pauperis.org. IN A

;; QUERY SIZE: 58

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1480
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pop3.pauperis.org. IN A

;; ANSWER SECTION:
pop3.pauperis.org.  1h IN CNAME pauperis.org.
pauperis.org.       1h IN A 91.121.85.222

Now you get NOERROR. The simple fact of removing the DNSSEC validation makes things work is a good proof that the error is DNSSEC related.

cn flag
Thanks a lot for your help. In this case DNSSEC is managed by OVH as i just had to enable DNSSEC checkbox for it to work. I did it some years ago but it seems to be failing for some months.
Patrick Mevzek avatar
cn flag
" as i just had to enable DNSSEC checkbox for it to work." DNSSEC is unfortunately more complicated than just a checkbox. Your DNS provider might hide from you lots of difficulties, which is nice, but DNSSEC is really often not "fire and forget". It adds some security but also adds some complexity. Here it is odd that the registry had a DS record for your domain (which means DNSSEC enabled) but then it seems it was not enabled at your DNS provider. If your domain is important (like you loose money when it breaks), I suggest you make sure to monitor it, through some other means.
Patrick Mevzek avatar
cn flag
FWIW and posterity the new view of your domain in DNSViz: https://dnsviz.net/d/pop3.pauperis.org/Yif0JA/dnssec/ (showing both DNSSEC and everyhing ok) I highly recommend everyone to use DNSViz for any troubleshooting problem, it is very helpful.
cn flag
Hi, thanks a lot for your reply. It helped a lot as I had no idea where the issue was coming from. I knew the logic behind DNSSEC but as OVH offers this functionality for all managed domains I completely forgot about it. I checked everything but didn't think there could be an error on their behalf. After disabling DNSSEC on OVH Manager and waiting for some hours, it then worked again. :)
Patrick Mevzek avatar
cn flag
Yes, but then you are not immune to the problem coming back later, and Murphy helping at the worst time, if you are not sure how it happened that you had a DS record at registry without corresponding DNSKEY in your zone. Maybe your DNS provider rotated its keys and asked you to update the DS (specially if they are not also the sponsoring registrar of the domain) and if you did not they may have just rotated anyway pushing you in the situation where the current DS does not match any DNSKEY in the zone. It would be better if you can enable DNSSEC again, but you can't if not understanding case
cn flag
Yes, I understand it perfectly. Obviously I enabled DNSSEC again and it worked like charm. I own about 9 domains all managaed through OVH and this one was the only one which started failing. Anyway, thank you so much for the tip. It made my day :)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.