I get a call: "Hey the site is down. Fix it!"
Worked on my workstation, not on my phone => DNS issue.

Local cache: "All OK"
ISP's DNS: "No record"
Google DNS: "Server error"
MXToolbox: "All OK"
CloudFlare DNS: "Domain? What domain?"

After a day of fucking around with configs and wanting to strangle the customer support guy, I just started pressing buttons, until suddenly, it worked. Turns out I'd accidentally enabled DNSSEC on a domain, that wasn't configured for it.

Lesson learned: There is no official DNS error code for "DNSSEC failed somewhere upstream". If you're lucky, you might get something useful out of the authoritative server, but apparently not on Mondays.

  • 12
    Mxtoolbox actually giving shit about DNSSEC is scary...
    But, how did you enable DNSSEC on the registrar and not placed the RSIG data in the zone?
  • 0
    ๐Ÿ“ Curious
  • 1
    ๐Ÿคtactical knowledge duck
  • 0
  • 0
  • 0
    @Linux I didn't actually check because once it was fixed, I didn't want to touch it, but I think this is what was going on:
    The registar (Namecheap) doesn't actually allow you to set DNSSEC records manually (using their DNS servers). I think they generate the privkey and automatically sign all records. The only thing that I can think of that would've caused this was if they put a DS record in the TLD zone (.com), but didn't actually sign my records (RRSIG). When a (DNSSEC-aware) resolver came along, it found the DS record, but no RRSIG, so it spat out an error. Somewhere in the chain, there must've been a DNSSEC-oblovious resolver, that interpreted that as "no record", hence me sleeping only 3 hours.
    All of this is pure speculation though, as all Namecheap lets me see is a "DNSSEC toggle" switch - which I will never be touching again.
  • 0
    Well, either you, or one of the providers badly fucked up. And .com is the worst tld to fuck up DNSSEC with.
    It was probably a ksk rollover that failed
  • 2
    @Linux right, they did postopne it to sometime around now.
    Either way, I claim full responsibility for clicking a button I shouldn't have right before half a week of national holidays.
Add Comment