New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test failure rates for CAA queries #1546
Comments
I wrote a quick Boulder script to check this: lookups.txt It's still running, but here are results so far:
|
Could you run the same sample against a authoritative Unbound instance and see if anything changes? (beyond the REFUSED -> SERVFAIL conversion) |
This was against an authoritative Unbound. |
Although perhaps not.. I'm also running a copy on a VPS, talking to a local Unbound with the exact same config as prod, and no longer get any REFUSED in the logs. So I may have screwed up the config when generating the preview above. |
Hm, are you running different versions of Unbound on the two machines perchance? |
First: 1.4.22, second: 1.4.20 |
Here's what I got on my scan of the ICANNTLD list, running through BIND: NOERROR:6428 Timeout Domainsi.ph SERVFAIL domainsedu.la |
I tried again with a bigger instance, and went through the list again:
So, 0.1% of currently-issued names respond SERVFAIL for CAA. Note: When I spot-checked some of the SERVFAIL hostnames, some of them also returned SERVFAIL for A lookups. The next step would be to run a test that looks up both A and CAA together, and counts the result only if the A lookup was successful. |
Updated code at https://github.com/jsha/go/blob/master/caa-lookups/lookups.go checks A before CAA. |
Next steps on this: get the contact list, notify, document, flip flag. |
Ticket filed to enable this in staging. |
Currently if a
LookupCAA
query hits aSERVFAIL
response code it will return an empty set of CAA records and continue as normal (which is equivalent to a domain not having any CAA records). This was initially done because a number of large DNS providers did not support CAA and would return aREFUSED
response code, instead of sayNODATA
. Unfortunately Unbound returns the same RCODE,SERVFAIL
, if a upstream resolver returnsREFUSED
as it returns if the answer fails DNSSEC validation.In the interim Cloudflare seems to have silently fixed this, so we should now run a test against a large sample of domains we have issued for to see if a large enough number of other DNS providers support CAA. If most providers do support CAA we should remove the code that treats a returned
SERVFAIL
the same as a domain having no records.The text was updated successfully, but these errors were encountered: