Closed AndrewPaglusch closed 1 month ago
Thanks for the post. This issue is related to issue #890. From tests and feedback, its observed that Cloudflare and Quad9 in rare instances return a response with missing RRSIG records which causes the DNSSEC validation to fail. These get cached as failure response and then affects the resolution of the domain names that have a CNAME record. This is another issue with cache, which picks the failure cache entry instead of the CNAME cache entry, that is being fixed in the upcoming update.
Thanks for the explanation @ShreyasZare. I searched for this issue before posting, but apparently not hard enough. Sorry for the duplicate. I'll keep an eye on that other issue from here on.
I'm running into issues when trying to resolve certain FQDNs. The issue seems sporadic, since one lookup may fail, and subsequent lookups eventually succeed. This has been happening for multiple different domains over the past few days and seems to be related to DNSSEC validation failures.
I'm running Technitium DNS Server version 12.2.1 in Docker on my local network. The DNS server is configured as a forwarder to 4x DNS-over-TLS resolvers (two Cloudflare and two Quad9). Please let me know if I can provide any more information in this issue to aid in troubleshooting.
My first lookup fails (which results in the below error). Running the lookup again a minute later succeeds. If I can capture the output of a
dig
without the+short
flag, I'll post that in place of the below output. It's sometimes difficult for me to reproduce this issue, so it may be a while before I can update this with the fulldig
output.Error logged:
Here's the cached entry for this host: