Website unavailable due to lack of DNSSEC

[MJDSys]

Description

Due to js.org enabling DNSSEC, the mermaid.js.org domain name cannot be resolved if a DNSSEC validating resolver is being used. This cause the website/email/etc to be unavailable. As this may be implemented at the ISP level, this may cause the website to be unavailable with little recourse for many people.

I realize that this is complicated by the interaction between js.org project and the mermaid project, so I understand if it will take some time to resolve, but I wanted to raise awareness here so the process can begin :)

Steps to reproduce

1. Try to visit mermaid.js.org when your DNS server is validating DNSSEC.
2. The web browser fails to load the site.

Screenshots

No response

Code Sample

No response

Setup

No response

Suggested Solutions

No response

Additional Context

No response

[sidharthv96]

DNSSEC is not supported by Netlify. https://answers.netlify.com/t/dnssec-support-on-netlify/3360/48 We'll have to move our nameservers to Cloudflare. Thanks for bringing this up @MJDSys !

[MJDSys]

@sidharthv96 I investigated this further, it might be a bug in the dns resolver on my end. Let me track this down and make sure it's a global issue. I'll get back to you soon.

[sidharthv96]

@MJDSys did you figure out where the issue is?

[MJDSys]

Hi @sidharthv96 , sorry for the delay it took me a little more research to understand what's going on.

The good news is you don't need the domain to have DNSSEC enabled. I misunderstood the standard and assumed my DNS resolver was giving errors because of it.

The underlying problem seems to come from systemd-resolved and your use of CNAME records. If systemd-resolved sees a CNAME record for a delegated domain, it assumes the domain is not delegated (which may be a correct assumption? That's not clear to me without reading the various RFCs). This causes systemd-resolved to assume mermaid.js.org should be signed by js.org, which it isn't and thus fails. A similar situation occurs with Duck Duck Go, and there is a bug report against systemd here: https://github.com/systemd/systemd/issues/31484 .

If you don't mind, I believe the issue can be resolved by this project by following the guide for apex domains from Github ( https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/managing-a-custom-domain-for-your-github-pages-site#configuring-an-apex-domain ). This would avoid the CNAME record and fix the issue.

Sorry for raising the original concern, I was worried the problem was more widespread. I didn't mean to cause unnecessary panic.

[zax-29]

I get this error with dnsmasq as well when dnssec validation is enabled, but duckduckgo.com resolves fine. It seems that it hits broader than just systemd-resolved.

[shawty]

Don't know if it's the same thing, but standard access on a windows desktop, nothing special being used.

Latest version of edge browser and:

I CAN occasionally get pages to load from the site if I'm persistent, but it's very hit & miss, I can for example get one doc page up, then 10 minutes later, click on another in the left menu, and usually I'll get a "404" error page, but then when I click back, I'll get that DNS error again, and nothing works.

I did a brief look up on the domain using "MX toolbox" and in the "Find Problems" tool, it reckons that the DNS records serial ID (Which is used for cache invalidation and timing) is invalid and outside acceptable range.

Don't know if any of that helps.

Addendum:

I tried this in an old version of Opera (V40) (that I keep around for debugging and programming my HTML based Smart TV) and this is what it comes back with:

and just as I was looking in my DNS logs, to see if there where any errors I could report to you....

Class Diagrams page, loaded and rendered with no issue:

[Raniz85]

I opened an issue on systemd for this and it was closed because it needs to be fixed by the domain owner.

There's some additional information available over there.

The DNSviz contains a lot of information that might help. It seems to be an issue with the CNAME that points mermaid.js.org to mermaid-js.github.io