LWN: Comments on "LWN emails bouncing due to dnsbl.njabl.org"

NXDOMAIN

tialaramex — Sun, 06 Jan 2019 12:57:31 +0000

NXDOMAIN means "This name doesn't exist" and, RFC 8020 makes clear, "Also there aren't any names under this somewhere in the hierarchy either"

You can get a NOERROR response with 0 answers. For example if you ask for an obscure DNS record type for, say, google.com, the answer isn't NXDOMAIN because google.com exists, but there are no answers to your question, so you get 0 answers. Because of the rationale in RFC 8020 zero answers for foo.example is also the correct response if there are no foo.example records at all, but there are bar.foo.example records, since bar.foo.example is under foo.example in the hierarchy and so NXDOMAIN for foo.example would imply bar.foo.example doesn't exist

But as you found SERVFAIL means "Something went wrong". It's annoyingly common for DNS to be misconfigured. For most administrators "it worked in a browser" is the extent of the testing of their DNS records. The various free-with-your-OS DNS servers are fairly good, assuming you do a reasonable job of configuring them, but for some reason expensive third party proprietary DNS solutions, all of which are hopeless, are very popular in some sectors.

Let's Encrypt adds a small positive pressure here, unlike a reseller for a traditional CA who'd push back on their technical people to let your misconfigured services through so they can make a sale, Let's Encrypt's soulless automation just rejects misconfigured systems. Arguing with the machine won't help, so your options are to fix the configuration or pay a traditional CA. Whether that means it comes out of your own pocket or you must endure a conversation with your accounts department, either way most technical people would rather learn what the hell is wrong with their DNS configuration and get the job done.

LWN emails bouncing due to dnsbl.njabl.org

wblew — Sat, 05 Jan 2019 23:37:27 +0000

Answering my own question, to quote https://wordtothewise.com/2013/04/dns-servfail-firewalls-...

SERVFAIL: is the all purpose “something went wrong” response. By far the most common cause for it is that there’s something broken or misconfigured with the authoritative DNS for the domain you’re querying so that your local DNS server sends out questions and never gets any answers back. After a few seconds of no responses it’ll give up and return this error.

In this case, the NS records for njabl.org are: dns1.njabl.org and dns2.njabl.org.

However, the org. root server cannot resolve either of those domains.

Presumably that results in SERVFAIL. i.e. The njabl.org domain is 'mis configured'.

LWN emails bouncing due to dnsbl.njabl.org

wblew — Sat, 05 Jan 2019 23:27:18 +0000

Just one question from the newbie: why would the dig response be SERVFAIL instead of NXDOMAIN?

Doesn't SERVFAIL imply there is some RR at the queried domain? I'm sure this is merely my ignorance.

LWN emails bouncing due to dnsbl.njabl.org

rickmoen — Fri, 04 Jan 2019 22:43:53 +0000

In case of causing confusion by being too terse: I meant that the catchall DNS server reported in Hacker News is now now longer in place, as shown by my 'dig' testing of yesterday. So, the perception that dnsbl.njabl.org was suddenly giving a spurious fail result might have been accurate for a couple of days, and then someone at njabl.org took down the daemon responding on port 53.

LWN emails bouncing due to dnsbl.njabl.org

rickmoen — Fri, 04 Jan 2019 09:43:27 +0000

Hacker News claimed a couple of days ago that someone was operating a wildcard DNS server that always returned a canned IP address to queries on [anything].dnsbl.njabl.org . If true, that would explain the allegations.

In any event, that is not the case. Note 'SERVFAIL':

$ dig lwn.net +short
45.33.94.129
$ dig 129.94.33.45.dnsbl.njabl.org

; <<>> DiG 9.10.6 <<>> 129.94.33.45.dnsbl.njabl.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30173
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;129.94.33.45.dnsbl.njabl.org. IN A

;; Query time: 75 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 04 01:24:47 PST 2019
;; MSG SIZE rcvd: 57
$

Rick Moen
rick@linuxmafia.com

LWN emails bouncing due to dnsbl.njabl.org

ghane — Thu, 03 Jan 2019 15:56:23 +0000

I checked, and the website believes I am in "TEST".

Keeps telling me "752 people in TEST now making money".

Wonder what happens when I shift to PROD?

--
Sanjeev