SERVFAIL for www.pinterest.com and TLS_FORWARD (kresd 5.5.2)
Hi knot-resolver maintenance team,
I spend some time to debug an issue to resolve a specific FQDN: www.pinterest.com
After debugging, I found that the SERVFAIL error only occurs in the CNAME CHAIN once I configure a TLS_FORWARD example.
Steps to re-produce the issue:
- use the latest knot-resolver version (5.5.2), e.g. from docker cznic/knot-resolver
- Forward all requests to Cloudflare Upstream:
policy.add(policy.all(policy.TLS_FORWARD({{'1.1.1.1', hostname='cloudflare-dns.com'}})))
- Attempts to resolve
www.pinterest
result in aSERVFAIL
error
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24362
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.pinterest.com. IN A
;; ANSWER SECTION:
www.pinterest.com. 439 IN CNAME www-pinterest-com.gslb.pinterest.com.
www-pinterest-com.gslb.pinterest.com. 159 IN CNAME www.gslb.pinterest.net.
;; Query time: 919 msec
;; SERVER: 192.168.10.240#53(192.168.10.240) (UDP)
;; WHEN: Mon Sep 12 13:35:07 CEST 2022
;; MSG SIZE rcvd: 119
It seems that the request fails because of DNSSEC and pinterest.net
in the cname chain. Interesting enough, once the TLS_FORWARD policy has been removed, www.pinterest.com resolves as expected.
I have too little knowledge to understand why the request fails in combination with TLS_FORWARD.
I am happy to contribute with additional debug information.