Hi Danilo,
it is not a problem on your end, Their servers break the DNS protocol and
don't respond to unknown names:
$ dig +tries=1 -4 IN NS @nstll.eulisa.europa.eu ${RANDOM}.eulisa.europa.eu
;; communications error to 194.126.110.49#53: timed out
; <<>> DiG 9.21.3-1+0~20241211.133+debian12~1.gbp5b5fe5-Debian <<>> +tries=1 -4
IN NS @nstll.eulisa.europa.eu 20520.eulisa.europa.eu
; (1 server found)
;; global options: +cmd
;; no servers could be reached
That makes them pretty much vulnerable to cache poisoning attacks. Yay!
And it also possibly hinders the resolution of the normal queries as QNAME
minimization query for _domainkey label also fails:
$ dig +tries=1 -4 IN NS @nstll.eulisa.europa.eu. _domainkey.eulisa.europa.eu
;; communications error to 194.126.110.49#53: timed out
; <<>> DiG 9.21.3-1+0~20241211.133+debian12~1.gbp5b5fe5-Debian <<>> +tries=1 -4
IN NS @nstll.eulisa.europa.eu. _domainkey.eulisa.europa.eu
; (1 server found)
;; global options: +cmd
;; no servers could be reached
Cheers,
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 13. 12. 2024, at 15:53, Danilo Godec via bind-users
> <bind-users@lists.isc.org> wrote:
>
> Hello,
>
>
>
> I recently noticed that emails from somewhat trustworthy organization don't
> have a valid DKIM signature - or rather, my email client can't verify them,
> because there is a timeout resolving the domainkey record.
>
>
> Testing this with 'dig' confirms the problem:
>
> > dig txt eulisa._domainkey.eulisa.europa.eu
> ;; communications error to 172.16.0.35#53: timed out
>
> ; <<>> DiG 9.18.28 <<>> txt eulisa._domainkey.eulisa.europa.eu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55417
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: d6eea8bdf879508b01000000675c30a8e779768fc9685289 (good)
> ;; QUESTION SECTION:
> ;eulisa._domainkey.eulisa.europa.eu. IN TXT
>
> ;; Query time: 4992 msec
> ;; SERVER: 172.16.0.35#53(172.16.0.35) (UDP)
> ;; WHEN: Fri Dec 13 14:03:36 CET 2024
> ;; MSG SIZE rcvd: 91
>
> However, resolving other TXT records for the domain works normally:
>
> > dig txt eulisa.europa.eu
>
> ; <<>> DiG 9.18.28 <<>> txt eulisa.europa.eu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35151
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; COOKIE: 1c40aaf791d3d85d01000000675c30c1a34364fc3a09684c (good)
> ;; QUESTION SECTION:
> ;eulisa.europa.eu. IN TXT
>
> ;; ANSWER SECTION:
> eulisa.europa.eu. 300 IN TXT "MS=ms83963822"
> eulisa.europa.eu. 300 IN TXT "v=spf1 mx ip4:195.80.109.244
> ip4:195.80.109.246 ip4:185.78.44.242 ip4:185.78.44.243 ip4:185.7.39.180
> ip4:213.32.127.167 ip4:213.32.127.168" " ip4:51.254.189.37 ip4:194.126.110.37
> ip4:212.234.189.164 a:smtp-out.fingerprint.fr include:_spf.tech.ec.europa.eu
> include:spf.protection.outlook.com -all"
> eulisa.europa.eu. 300 IN TXT
> "atlassian-domain-verification=IAbzEpJrPKAGpbastIH07G8kB/zM1meGcRNejgMYZsby1d0k7VwnPjDu6eGVLbqT"
> eulisa.europa.eu. 300 IN TXT "MS=ms12401514"
> eulisa.europa.eu. 300 IN TXT
> "apple-domain-verification=z8I34fLchFm3RjgN"
>
> ;; Query time: 204 msec
> ;; SERVER: 172.16.0.35#53(172.16.0.35) (UDP)
> ;; WHEN: Fri Dec 13 14:04:01 CET 2024
> ;; MSG SIZE rcvd: 593
>
>
> I tried resolving the domainkey with Google and other DNSs and it seems to
> work.
>
> As far as I could find so far, the problem manifests itself only on my
> location, where I have three named servers - two are version 9.18.28 while
> one is 9.16.37. I also have a 4th one on a different location and it's even
> older (9.11.4), but this one does resolve the domain key:
>
> > dig txt eulisa._domainkey.eulisa.europa.eu @dns4.elasticbox.eu
>
> ; <<>> DiG 9.18.28 <<>> txt eulisa._domainkey.eulisa.europa.eu
> @dns4.elasticbox.eu
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9239
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 2b312991c2683e34f941a13f675c47654032168d65401367 (good)
> ;; QUESTION SECTION:
> ;eulisa._domainkey.eulisa.europa.eu. IN TXT
>
> ;; ANSWER SECTION:
> eulisa._domainkey.eulisa.europa.eu. 3462 IN TXT "v=DKIM1;
> p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1XVPzcIhCuMinLW2oceuhuqpGRxpX3koW2cV7ZGUzCnO+G0Xw6611ZMLT+Sk6313k0zVbwsL8Fnrbt+guvdqzx3Zh23chNZ24+ExN8Fhlb7XK0F7PqEH7pdJ1GAuraBJQmNviPiV64epsYu5gbiP8Aol16AcTCw1UvAG8xD4gQL2bXg52i5ucq2pRhEd9jbz1nc6gLA"
>
> "tcTwlSWVjlw6gu0+FzQ3DvhoCeMR8u6uOZx1GyWMX0YZRXEm9s8a2A1+mlD9l7+ypQWsyl1RiOI/RV5druI3mEuxPn1/pzyO7bbroZXcFOjz4B5Z9iRqtXoEZRhYIS8zScCKy+k8T8gGyWwIDAQAB;"
>
> ;; AUTHORITY SECTION:
> eulisa.europa.eu. 3462 IN NS nssxb.eulisa.europa.eu.
> eulisa.europa.eu. 3462 IN NS nstll.eulisa.europa.eu.
>
> ;; ADDITIONAL SECTION:
> nstll.eulisa.europa.eu. 3462 IN A 194.126.110.49
> nssxb.eulisa.europa.eu. 3462 IN A 212.234.189.180
>
> ;; Query time: 40 msec
> ;; SERVER: 54.229.229.105#53(dns4.elasticbox.eu) (UDP)
> ;; WHEN: Fri Dec 13 15:40:38 CET 2024
> ;; MSG SIZE rcvd: 582
>
>
> That implies that this might be a network problem, but since all servers have
> a public IP and no NAT, I really cant's imagine why or how.
>
> What diagnostic steps can I do get a better idea of what's going on with
> these queries as far as named is concerned?
>
>
>
> Thanks,
>
> Danilo
>
>
>
>
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
