[Pdns-users] TLSA problemns

steffannoord at gmail.com steffannoord at gmail.com
Fri Dec 13 14:04:02 UTC 2019 

Yes it is my own.
I use mysql replication 
If i test the dns servers it works.

I also see the difference in the TTL, but the settings are in my dns for several months.

The reasen why i test 8.8.8.8 is that SIDN uses them to test for tlsa/dane
And my domains are failing for there test.

Met vriendelijke groet,
Steffan Noord 

-----Oorspronkelijk bericht-----
Van: Brian Candler <b.candler at pobox.com> 
Verzonden: vrijdag 13 december 2019 14:44
Aan: steffannoord at gmail.com; 'Pdns-users Users' <pdns-users at mailman.powerdns.com>
Onderwerp: Re: [Pdns-users] TLSA problemns

On 13/12/2019 13:23, steffannoord at gmail.com wrote:
> I have a strange problem.
> When i do a:
> dig _25._tcp.mail01.tkservers.com tlsa @8.8.8.8
>
> om getting sometimes a NOERROR and sometimes a NXDOMAIN
>
> When i change the 8.8.8.8 to my dns servers that it works fine.
> When i use 1.1.1.1  it works fine
>
> Any idees why Google gives a NXDOMAIN randomly?

8.8.8.8 will be a big anycast pool of caches, and you may hit a different one with each query.  Other providers might have "sticky" load balancing.  Notice how the TTL bounces up and down here:

$ dig @8.8.8.8 powerdns.com | grep '^powerdns\.com'
powerdns.com.        3599    IN    A    188.166.104.92 $ dig @8.8.8.8 powerdns.com | grep '^powerdns\.com'
powerdns.com.        3599    IN    A    188.166.104.92 $ dig @8.8.8.8 powerdns.com | grep '^powerdns\.com'
powerdns.com.        1227    IN    A    188.166.104.92 $ dig @8.8.8.8 powerdns.com | grep '^powerdns\.com'
powerdns.com.        3026    IN    A    188.166.104.92 $ dig @8.8.8.8 powerdns.com | grep '^powerdns\.com'
powerdns.com.        3595    IN    A    188.166.104.92

Is tkservers.com your own domain?

You would need to dig into the details, but there are a whole bunch of possible reasons, most likely due to misconfiguration of tkservers.com authoritative DNS.  Examples:

- synchronization problem between master and slaves
- NS records in the delegation are different to the NS records in the zone

Or it could just be a temporary anomaly due to TTL expiring after a change, and will eventually become consistent.

More information about the Pdns-users mailing list