Skip to content

SERVFAIL when resolving `www.cdc.gov` (knot-resolver 3.2.1, 5.1.3, and 5.2.1)

starting from a cleared cache, I tried to resolve www.cdc.gov from a knot-resolver instance. I got a SERVFAIL.

I've seen this behavior in knot-resolver 3.2.1 and 5.1.3 and 5.2.1.

I think it has something to do with DNSSEC and QNAME minimization, but i might be misunderstanding it too. in particular, Akamai seems to be authoritative for the akam.cdc.gov zone, which maybe has a DS record but no DNSKEY record? maybe there are other issues i don't understand though.

Below is a log from a 5.2.1 instance running with verbose(true):

Dec 22 14:01:50 alice kresd[814779]: [00000.00][plan] plan 'www.cdc.gov.' type 'A' uid [49186.00]
Dec 22 14:01:50 alice kresd[814779]: [49186.00][iter]   'www.cdc.gov.' type 'A' new uid was assigned .01, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.01][resl]   => using root hints
Dec 22 14:01:50 alice kresd[814779]: [49186.01][iter]   'www.cdc.gov.' type 'A' new uid was assigned .02, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.02][resl]   >< TA: '.'
Dec 22 14:01:50 alice kresd[814779]: [49186.02][plan]   plan '.' type 'DNSKEY' uid [49186.03]
Dec 22 14:01:50 alice kresd[814779]: [49186.03][iter]     '.' type 'DNSKEY' new uid was assigned .04, parent uid .02
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl]     => id: '54881' querying: '2001:500:9f::42#00053' score: 10 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl]     => id: '54881' querying: '199.7.83.42#00053' score: 10 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.04][iter]     <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [49186.04][vldr]     <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [49186.04][vldr]     <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.04][cach]     => stashed . DNSKEY, rank 060, 1090 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [ta_signal_query] signalling query trigered: _ta-4f66.
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl]     <= server: '2001:500:9f::42' rtt: >= 220 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl]     <= server: '199.7.83.42' rtt: 20 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.02][iter]   'www.cdc.gov.' type 'A' new uid was assigned .05, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl]   => id: '15349' querying: '2001:dc3::35#00053' score: 10 zone cut: '.' qname: 'GOV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [00000.00][plan] plan '_ta-4f66.' type 'NULL' uid [65566.00]
Dec 22 14:01:50 alice kresd[814779]: [65566.00][iter]   '_ta-4f66.' type 'NULL' new uid was assigned .01, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.01][resl]   => using root hints
Dec 22 14:01:50 alice kresd[814779]: [65566.01][iter]   '_ta-4f66.' type 'NULL' new uid was assigned .02, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.02][resl]   >< TA: '.'
Dec 22 14:01:50 alice kresd[814779]: [65566.02][plan]   plan '.' type 'DNSKEY' uid [65566.03]
Dec 22 14:01:50 alice kresd[814779]: [65566.03][iter]     '.' type 'DNSKEY' new uid was assigned .04, parent uid .02
Dec 22 14:01:50 alice kresd[814779]: [65566.04][cach]     => satisfied by exact RRset: rank 060, new TTL 172800
Dec 22 14:01:50 alice kresd[814779]: [65566.04][iter]     <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [65566.04][vldr]     <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [65566.04][vldr]     <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [65566.02][iter]   '_ta-4f66.' type 'NULL' new uid was assigned .05, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl]   => id: '48678' querying: '199.7.83.42#00053' score: 20 zone cut: '.' qname: '_tA-4f66.' qtype: 'NULL' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [65566.05][iter]   <= rcode: NXDOMAIN
Dec 22 14:01:50 alice kresd[814779]: [65566.05][vldr]   <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach]   => stashed . SOA, rank 060, 358 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach]   => stashed . NSEC, rank 060, 308 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach]   => nsec_p stashed for . (new, hash: 0)
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl]   <= server: '199.7.83.42' rtt: 21 ms
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl]   AD: request classified as SECURE
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl]   finished in state: 4, queries: 2, mempool: 98352 B
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl]   => id: '15349' querying: '202.12.27.33#00053' score: 10 zone cut: '.' qname: 'GOV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter]   <= loaded 8 glue addresses
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter]   <= referral response, follow
Dec 22 14:01:50 alice kresd[814779]: [49186.05][vldr]   <= DS: OK
Dec 22 14:01:50 alice kresd[814779]: [49186.05][vldr]   <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach]   => stashed gov. DS, rank 060, 356 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach]   => stashed gov. NS, rank 002, 102 B total, incl. 0 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach]   => stashed also 8 nonauth RRsets
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl]   <= server: '2001:dc3::35' rtt: >= 279 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl]   <= server: '202.12.27.33' rtt: 79 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter]   'www.cdc.gov.' type 'A' new uid was assigned .06, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.06][plan]   plan 'gov.' type 'DNSKEY' uid [49186.07]
Dec 22 14:01:50 alice kresd[814779]: [49186.07][iter]     'gov.' type 'DNSKEY' new uid was assigned .08, parent uid .06
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach]     => no NSEC* cached for zone: gov.
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach]     => skipping zone: gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach]     => skipping zone: gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl]     => id: '16918' querying: '2620:74:28::2:30#00053' score: 10 zone cut: 'gov.' qname: 'gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl]     => id: '16918' querying: '69.36.153.30#00053' score: 10 zone cut: 'gov.' qname: 'gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.08][iter]     <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [49186.08][vldr]     <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [49186.08][vldr]     <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach]     => stashed gov. DNSKEY, rank 060, 730 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl]     <= server: '2620:74:28::2:30' rtt: >= 237 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl]     <= server: '69.36.153.30' rtt: 37 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.06][iter]   'www.cdc.gov.' type 'A' new uid was assigned .09, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.09][resl]   => id: '06201' querying: '2620:74:27::2:30#00053' score: 10 zone cut: 'gov.' qname: 'cdc.goV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.09][resl]   => id: '06201' querying: '209.112.123.30#00053' score: 10 zone cut: 'gov.' qname: 'cdc.goV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter]   <= loaded 3 glue addresses
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter]   <= referral response, follow
Dec 22 14:01:51 alice kresd[814779]: [49186.09][vldr]   <= DS: OK
Dec 22 14:01:51 alice kresd[814779]: [49186.09][vldr]   <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach]   => stashed cdc.gov. DS, rank 060, 264 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach]   => stashed cdc.gov. NS, rank 002, 104 B total, incl. 0 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach]   => stashed also 3 nonauth RRsets
Dec 22 14:01:51 alice kresd[814779]: [49186.09][resl]   <= server: '2620:74:27::2:30' rtt: >= 257 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.09][resl]   <= server: '209.112.123.30' rtt: 57 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter]   'www.cdc.gov.' type 'A' new uid was assigned .10, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.10][plan]   plan 'cdc.gov.' type 'DNSKEY' uid [49186.11]
Dec 22 14:01:51 alice kresd[814779]: [49186.11][iter]     'cdc.gov.' type 'DNSKEY' new uid was assigned .12, parent uid .10
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach]     => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach]     => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach]     => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.12][resl]     => id: '05583' querying: '198.246.96.92#00053' score: 10 zone cut: 'cdc.gov.' qname: 'cDC.gOv.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.12][iter]     <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.12][vldr]     <= parent: updating DNSKEY
Dec 22 14:01:51 alice kresd[814779]: [49186.12][vldr]     <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach]     => stashed cdc.gov. DNSKEY, rank 060, 862 B total, incl. 2 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.12][resl]     <= server: '198.246.96.92' rtt: 52 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.10][iter]   'www.cdc.gov.' type 'A' new uid was assigned .13, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.13][resl]   => id: '31795' querying: '198.246.96.61#00053' score: 10 zone cut: 'cdc.gov.' qname: 'Www.Cdc.Gov.' qtype: 'A' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.13][iter]   <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.13][iter]   <= cname chain, following
Dec 22 14:01:51 alice kresd[814779]: [00000.00][plan] plan 'www.akam.cdc.gov.' type 'A' uid [49186.14]
Dec 22 14:01:51 alice kresd[814779]: [49186.13][vldr]   <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.13][cach]   => stashed www.cdc.gov. CNAME, rank 060, 192 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.13][resl]   <= server: '198.246.96.61' rtt: 55 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.14][iter]   'www.akam.cdc.gov.' type 'A' new uid was assigned .15, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach]   => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach]   => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach]   => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.15][zcut]   found cut: cdc.gov. (rank 002 return codes: DS 0, DNSKEY 0)
Dec 22 14:01:51 alice kresd[814779]: [49186.15][resl]   => id: '24013' querying: '198.246.125.10#00053' score: 10 zone cut: 'cdc.gov.' qname: 'aKam.cdC.Gov.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter]   <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter]   <= continuing with qname minimization
Dec 22 14:01:51 alice kresd[814779]: [49186.15][resl]   <= server: '198.246.125.10' rtt: 53 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter]   'www.akam.cdc.gov.' type 'A' new uid was assigned .16, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.16][plan]   plan 'akam.cdc.gov.' type 'DS' uid [49186.17]
Dec 22 14:01:51 alice kresd[814779]: [49186.17][iter]     'akam.cdc.gov.' type 'DS' new uid was assigned .18, parent uid .16
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach]     => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach]     => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach]     => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.18][zcut]     found cut: cdc.gov. (rank 002 return codes: DS 0, DNSKEY 0)
Dec 22 14:01:51 alice kresd[814779]: [49186.18][resl]     => id: '02506' querying: '198.246.96.92#00053' score: 52 zone cut: 'cdc.gov.' qname: 'aKAM.cdc.GOv.' qtype: 'DS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.18][iter]     <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr]     <= DS: OK
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr]     <= parent: updating DS
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr]     <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach]     => stashed akam.cdc.gov. DS, rank 060, 210 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.18][resl]     <= server: '198.246.96.92' rtt: 50 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.16][iter]   'www.akam.cdc.gov.' type 'A' new uid was assigned .19, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.19][plan]   plan 'akam.cdc.gov.' type 'DNSKEY' uid [49186.20]
Dec 22 14:01:51 alice kresd[814779]: [49186.20][iter]     'akam.cdc.gov.' type 'DNSKEY' new uid was assigned .21, parent uid .19
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach]     => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach]     => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach]     => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl]     => id: '42245' querying: '198.246.96.92#00053' score: 51 zone cut: 'akam.cdc.gov.' qname: 'akaM.CdC.Gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.21][iter]     <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.21][vldr]     >< cut changed, needs revalidation
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl]     <= server: '198.246.96.92' rtt: 48 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl]     => resuming yielded answer
Dec 22 14:01:51 alice kresd[814779]: [49186.21][vldr]     <= bad NODATA proof
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach]     => stashed packet: rank 025, TTL 3600, DNSKEY akam.cdc.gov. (125 B)
Dec 22 14:01:51 alice kresd[814779]: [49186.00][resl] request failed, answering with empty SERVFAIL
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl]     finished in state: 8, queries: 5, mempool: 49200 B
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information