DNS64 synthesis fails for tudelft.account.worldcat.org
In kresd version 5.6.0 with DNS64 module enabled, when resolving tudelft.account.worldcat.org
, DNS64 does not kick in:
$ dig tudelft.account.worldcat.org a
; <<>> DiG 9.16.37 <<>> tudelft.account.worldcat.org a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52064
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;tudelft.account.worldcat.org. IN A
;; ANSWER SECTION:
tudelft.account.worldcat.org. 2459 IN CNAME emea.account.worldcat.org.
emea.account.worldcat.org. 28 IN A 193.240.184.98
$ dig tudelft.account.worldcat.org aaaa
; <<>> DiG 9.16.37 <<>> tudelft.account.worldcat.org aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63626
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 4 (Forged Answer): (BHD4: DNS64 synthesis)
;; QUESTION SECTION:
;tudelft.account.worldcat.org. IN AAAA
;; AUTHORITY SECTION:
worldcat.org. 653 IN SOA michelle.ns.cloudflare.com. dns.cloudflare.com. 2312413286 10000 2400 604800 1800
The zone in question is hosted by Cloudflare and has DNSSEC enabled so my wild guess is that it has something to do with the way Cloudflare signs negative answers.