Learn More
Resend Email
60
franga2000
6y

I get a call: "Hey the site is down. Fix it!"
Worked on my workstation, not on my phone => DNS issue.

Local cache: "All OK"
ISP's DNS: "No record"
Google DNS: "Server error"
MXToolbox: "All OK"
CloudFlare DNS: "Domain? What domain?"

After a day of fucking around with configs and wanting to strangle the customer support guy, I just started pressing buttons, until suddenly, it worked. Turns out I'd accidentally enabled DNSSEC on a domain, that wasn't configured for it.

Lesson learned: There is no official DNS error code for "DNSSEC failed somewhere upstream". If you're lucky, you might get something useful out of the authoritative server, but apparently not on Mondays.

rant

fuck dns

fuck dnssec
Favorite
Ranter
Comments
  • 12
    6y
    Mxtoolbox actually giving shit about DNSSEC is scary...
    But, how did you enable DNSSEC on the registrar and not placed the RSIG data in the zone?
  • 0
    6y
    ๐Ÿ“ Curious
  • 1
    6y
    ๐Ÿคtactical knowledge duck
  • 0
    6y
    ๐Ÿ“Œ
  • 0
    6y
    ๐Ÿ“Œ
  • 0
    6y
    @Linux I didn't actually check because once it was fixed, I didn't want to touch it, but I think this is what was going on:
    The registar (Namecheap) doesn't actually allow you to set DNSSEC records manually (using their DNS servers). I think they generate the privkey and automatically sign all records. The only thing that I can think of that would've caused this was if they put a DS record in the TLD zone (.com), but didn't actually sign my records (RRSIG). When a (DNSSEC-aware) resolver came along, it found the DS record, but no RRSIG, so it spat out an error. Somewhere in the chain, there must've been a DNSSEC-oblovious resolver, that interpreted that as "no record", hence me sleeping only 3 hours.
    All of this is pure speculation though, as all Namecheap lets me see is a "DNSSEC toggle" switch - which I will never be touching again.
  • 0
    6y
    @franga2000
    Well, either you, or one of the providers badly fucked up. And .com is the worst tld to fuck up DNSSEC with.
    It was probably a ksk rollover that failed
  • 2
    6y
    @Linux right, they did postopne it to sometime around now.
    Either way, I claim full responsibility for clicking a button I shouldn't have right before half a week of national holidays.
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment