SERVFAIL when resolving `www.cdc.gov` (knot-resolver 3.2.1, 5.1.3, and 5.2.1)
starting from a cleared cache, I tried to resolve www.cdc.gov from a knot-resolver instance. I got a SERVFAIL.
I've seen this behavior in knot-resolver 3.2.1 and 5.1.3 and 5.2.1.
I think it has something to do with DNSSEC and QNAME minimization, but i might be misunderstanding it too. in particular, Akamai seems to be authoritative for the akam.cdc.gov zone, which maybe has a DS record but no DNSKEY record? maybe there are other issues i don't understand though.
Below is a log from a 5.2.1 instance running with verbose(true):
Dec 22 14:01:50 alice kresd[814779]: [00000.00][plan] plan 'www.cdc.gov.' type 'A' uid [49186.00]
Dec 22 14:01:50 alice kresd[814779]: [49186.00][iter] 'www.cdc.gov.' type 'A' new uid was assigned .01, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.01][resl] => using root hints
Dec 22 14:01:50 alice kresd[814779]: [49186.01][iter] 'www.cdc.gov.' type 'A' new uid was assigned .02, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.02][resl] >< TA: '.'
Dec 22 14:01:50 alice kresd[814779]: [49186.02][plan] plan '.' type 'DNSKEY' uid [49186.03]
Dec 22 14:01:50 alice kresd[814779]: [49186.03][iter] '.' type 'DNSKEY' new uid was assigned .04, parent uid .02
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] => id: '54881' querying: '2001:500:9f::42#00053' score: 10 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] => id: '54881' querying: '199.7.83.42#00053' score: 10 zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.04][iter] <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [49186.04][vldr] <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [49186.04][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.04][cach] => stashed . DNSKEY, rank 060, 1090 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [ta_signal_query] signalling query trigered: _ta-4f66.
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] <= server: '2001:500:9f::42' rtt: >= 220 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.04][resl] <= server: '199.7.83.42' rtt: 20 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.02][iter] 'www.cdc.gov.' type 'A' new uid was assigned .05, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] => id: '15349' querying: '2001:dc3::35#00053' score: 10 zone cut: '.' qname: 'GOV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [00000.00][plan] plan '_ta-4f66.' type 'NULL' uid [65566.00]
Dec 22 14:01:50 alice kresd[814779]: [65566.00][iter] '_ta-4f66.' type 'NULL' new uid was assigned .01, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.01][resl] => using root hints
Dec 22 14:01:50 alice kresd[814779]: [65566.01][iter] '_ta-4f66.' type 'NULL' new uid was assigned .02, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.02][resl] >< TA: '.'
Dec 22 14:01:50 alice kresd[814779]: [65566.02][plan] plan '.' type 'DNSKEY' uid [65566.03]
Dec 22 14:01:50 alice kresd[814779]: [65566.03][iter] '.' type 'DNSKEY' new uid was assigned .04, parent uid .02
Dec 22 14:01:50 alice kresd[814779]: [65566.04][cach] => satisfied by exact RRset: rank 060, new TTL 172800
Dec 22 14:01:50 alice kresd[814779]: [65566.04][iter] <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [65566.04][vldr] <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [65566.04][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [65566.02][iter] '_ta-4f66.' type 'NULL' new uid was assigned .05, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] => id: '48678' querying: '199.7.83.42#00053' score: 20 zone cut: '.' qname: '_tA-4f66.' qtype: 'NULL' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [65566.05][iter] <= rcode: NXDOMAIN
Dec 22 14:01:50 alice kresd[814779]: [65566.05][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach] => stashed . SOA, rank 060, 358 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach] => stashed . NSEC, rank 060, 308 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [65566.05][cach] => nsec_p stashed for . (new, hash: 0)
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] <= server: '199.7.83.42' rtt: 21 ms
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] AD: request classified as SECURE
Dec 22 14:01:50 alice kresd[814779]: [65566.05][resl] finished in state: 4, queries: 2, mempool: 98352 B
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] => id: '15349' querying: '202.12.27.33#00053' score: 10 zone cut: '.' qname: 'GOV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter] <= loaded 8 glue addresses
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter] <= referral response, follow
Dec 22 14:01:50 alice kresd[814779]: [49186.05][vldr] <= DS: OK
Dec 22 14:01:50 alice kresd[814779]: [49186.05][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach] => stashed gov. DS, rank 060, 356 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach] => stashed gov. NS, rank 002, 102 B total, incl. 0 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.05][cach] => stashed also 8 nonauth RRsets
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] <= server: '2001:dc3::35' rtt: >= 279 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.05][resl] <= server: '202.12.27.33' rtt: 79 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.05][iter] 'www.cdc.gov.' type 'A' new uid was assigned .06, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.06][plan] plan 'gov.' type 'DNSKEY' uid [49186.07]
Dec 22 14:01:50 alice kresd[814779]: [49186.07][iter] 'gov.' type 'DNSKEY' new uid was assigned .08, parent uid .06
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => no NSEC* cached for zone: gov.
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => skipping zone: gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => skipping zone: gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] => id: '16918' querying: '2620:74:28::2:30#00053' score: 10 zone cut: 'gov.' qname: 'gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] => id: '16918' querying: '69.36.153.30#00053' score: 10 zone cut: 'gov.' qname: 'gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.08][iter] <= rcode: NOERROR
Dec 22 14:01:50 alice kresd[814779]: [49186.08][vldr] <= parent: updating DNSKEY
Dec 22 14:01:50 alice kresd[814779]: [49186.08][vldr] <= answer valid, OK
Dec 22 14:01:50 alice kresd[814779]: [49186.08][cach] => stashed gov. DNSKEY, rank 060, 730 B total, incl. 1 RRSIGs
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] <= server: '2620:74:28::2:30' rtt: >= 237 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.08][resl] <= server: '69.36.153.30' rtt: 37 ms
Dec 22 14:01:50 alice kresd[814779]: [49186.06][iter] 'www.cdc.gov.' type 'A' new uid was assigned .09, parent uid .00
Dec 22 14:01:50 alice kresd[814779]: [49186.09][resl] => id: '06201' querying: '2620:74:27::2:30#00053' score: 10 zone cut: 'gov.' qname: 'cdc.goV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:50 alice kresd[814779]: [49186.09][resl] => id: '06201' querying: '209.112.123.30#00053' score: 10 zone cut: 'gov.' qname: 'cdc.goV.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter] <= loaded 3 glue addresses
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter] <= referral response, follow
Dec 22 14:01:51 alice kresd[814779]: [49186.09][vldr] <= DS: OK
Dec 22 14:01:51 alice kresd[814779]: [49186.09][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach] => stashed cdc.gov. DS, rank 060, 264 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach] => stashed cdc.gov. NS, rank 002, 104 B total, incl. 0 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.09][cach] => stashed also 3 nonauth RRsets
Dec 22 14:01:51 alice kresd[814779]: [49186.09][resl] <= server: '2620:74:27::2:30' rtt: >= 257 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.09][resl] <= server: '209.112.123.30' rtt: 57 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.09][iter] 'www.cdc.gov.' type 'A' new uid was assigned .10, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.10][plan] plan 'cdc.gov.' type 'DNSKEY' uid [49186.11]
Dec 22 14:01:51 alice kresd[814779]: [49186.11][iter] 'cdc.gov.' type 'DNSKEY' new uid was assigned .12, parent uid .10
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.12][resl] => id: '05583' querying: '198.246.96.92#00053' score: 10 zone cut: 'cdc.gov.' qname: 'cDC.gOv.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.12][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.12][vldr] <= parent: updating DNSKEY
Dec 22 14:01:51 alice kresd[814779]: [49186.12][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.12][cach] => stashed cdc.gov. DNSKEY, rank 060, 862 B total, incl. 2 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.12][resl] <= server: '198.246.96.92' rtt: 52 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.10][iter] 'www.cdc.gov.' type 'A' new uid was assigned .13, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.13][resl] => id: '31795' querying: '198.246.96.61#00053' score: 10 zone cut: 'cdc.gov.' qname: 'Www.Cdc.Gov.' qtype: 'A' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.13][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.13][iter] <= cname chain, following
Dec 22 14:01:51 alice kresd[814779]: [00000.00][plan] plan 'www.akam.cdc.gov.' type 'A' uid [49186.14]
Dec 22 14:01:51 alice kresd[814779]: [49186.13][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.13][cach] => stashed www.cdc.gov. CNAME, rank 060, 192 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.13][resl] <= server: '198.246.96.61' rtt: 55 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.14][iter] 'www.akam.cdc.gov.' type 'A' new uid was assigned .15, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.15][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.15][zcut] found cut: cdc.gov. (rank 002 return codes: DS 0, DNSKEY 0)
Dec 22 14:01:51 alice kresd[814779]: [49186.15][resl] => id: '24013' querying: '198.246.125.10#00053' score: 10 zone cut: 'cdc.gov.' qname: 'aKam.cdC.Gov.' qtype: 'NS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter] <= continuing with qname minimization
Dec 22 14:01:51 alice kresd[814779]: [49186.15][resl] <= server: '198.246.125.10' rtt: 53 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.15][iter] 'www.akam.cdc.gov.' type 'A' new uid was assigned .16, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.16][plan] plan 'akam.cdc.gov.' type 'DS' uid [49186.17]
Dec 22 14:01:51 alice kresd[814779]: [49186.17][iter] 'akam.cdc.gov.' type 'DS' new uid was assigned .18, parent uid .16
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.18][zcut] found cut: cdc.gov. (rank 002 return codes: DS 0, DNSKEY 0)
Dec 22 14:01:51 alice kresd[814779]: [49186.18][resl] => id: '02506' querying: '198.246.96.92#00053' score: 52 zone cut: 'cdc.gov.' qname: 'aKAM.cdc.GOv.' qtype: 'DS' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.18][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr] <= DS: OK
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr] <= parent: updating DS
Dec 22 14:01:51 alice kresd[814779]: [49186.18][vldr] <= answer valid, OK
Dec 22 14:01:51 alice kresd[814779]: [49186.18][cach] => stashed akam.cdc.gov. DS, rank 060, 210 B total, incl. 1 RRSIGs
Dec 22 14:01:51 alice kresd[814779]: [49186.18][resl] <= server: '198.246.96.92' rtt: 50 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.16][iter] 'www.akam.cdc.gov.' type 'A' new uid was assigned .19, parent uid .00
Dec 22 14:01:51 alice kresd[814779]: [49186.19][plan] plan 'akam.cdc.gov.' type 'DNSKEY' uid [49186.20]
Dec 22 14:01:51 alice kresd[814779]: [49186.20][iter] 'akam.cdc.gov.' type 'DNSKEY' new uid was assigned .21, parent uid .19
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => no NSEC* cached for zone: cdc.gov.
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => skipping zone: cdc.gov., NSEC, hash 0;new TTL -123456789, ret -2
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] => id: '42245' querying: '198.246.96.92#00053' score: 51 zone cut: 'akam.cdc.gov.' qname: 'akaM.CdC.Gov.' qtype: 'DNSKEY' proto: 'udp'
Dec 22 14:01:51 alice kresd[814779]: [49186.21][iter] <= rcode: NOERROR
Dec 22 14:01:51 alice kresd[814779]: [49186.21][vldr] >< cut changed, needs revalidation
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] <= server: '198.246.96.92' rtt: 48 ms
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] => resuming yielded answer
Dec 22 14:01:51 alice kresd[814779]: [49186.21][vldr] <= bad NODATA proof
Dec 22 14:01:51 alice kresd[814779]: [49186.21][cach] => stashed packet: rank 025, TTL 3600, DNSKEY akam.cdc.gov. (125 B)
Dec 22 14:01:51 alice kresd[814779]: [49186.00][resl] request failed, answering with empty SERVFAIL
Dec 22 14:01:51 alice kresd[814779]: [49186.21][resl] finished in state: 8, queries: 5, mempool: 49200 B