Debian.org does not seem to resolve

Jamar666 · April 29, 2022, 1:18am

sometime between yesterday and today, i can not seem to be able to resolve "debian.org".
i noticed this today when trying to check/update (apt) my pi; which is running debian 11 64-bit + pihole + cloudflared (for doh - using quad9 upstream).

as far as i know nothing has changed since yesterday; i was able to check/update (apt) yesterday just fine, and adlist i believe did not update/change at all (if i recall they usually update on sunday). besides debian.org (apt), normal web browsing seems perfectly fine from what i can tell.

i did also notice that when doing a dig via the cloudflared service, i am able to resolve "debian.org", but from pihole i cannot - i get "SERVFAIL".

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 security.debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 security.debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11629
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 898bbdedcbe9a870 (echoed)
;; QUESTION SECTION:
;security.debian.org.           IN      A

;; ANSWER SECTION:
security.debian.org.    33      IN      A       151.101.130.132
security.debian.org.    33      IN      A       151.101.194.132
security.debian.org.    33      IN      A       151.101.66.132
security.debian.org.    33      IN      A       151.101.2.132

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 21:00:58 EDT 2022
;; MSG SIZE  rcvd: 200

pi@raspbian-5:~ $
pi@raspbian-5:~ $ dig security.debian.org
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.16.27-Debian <<>> security.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61621
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 018d54057d8b9803 (echoed)
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;security.debian.org.           IN      A

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 21:01:12 EDT 2022
;; MSG SIZE  rcvd: 66

pi@raspbian-5:~ $

i tried triggering a gravity update (sudo pihole updateGravity) to see if that would help/change anything, but no change.

Debug Token: https://tricorder.pi-hole.net/XsJtTJjB/

edit: just noticed actually that it's trying to use retry via TCP. i'm not sure why all of sudden.

;; Truncated, retrying in TCP mode.

Jamar666 · April 29, 2022, 3:53am

doing some googling, i came across this: issues resolving DNSSEC queries with cloudflared as upstream · Issue #1263 · pi-hole/FTL · GitHub
not sure how much it relates or not yet

however, i used it to mimic some of the dig options

below are ran in the same order with the options, however the first is via cloudflared service, and the second via pihole (cloudflared service as upstream)

CloudFlared Service - quad9 upstream

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34985
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: dbe6b027cf9b1e64 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             300     IN      A       128.31.0.62
debian.org.             300     IN      A       130.89.148.77
debian.org.             300     IN      A       149.20.4.15

;; Query time: 68 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:51:10 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +dnssec debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28648
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: ee0434c575ceecdb (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             295     IN      A       128.31.0.62
debian.org.             295     IN      A       130.89.148.77
debian.org.             295     IN      A       149.20.4.15
debian.org.             295     IN      RRSIG   A 8 2 300 20220530001838 20220419231838 27360 debian.org. VjvoC+gsfqRWMp+JC9CyGzm0uy6aQQNvwT16kq+GVDIMsfNt0rQ5cGFv M2wmHTJd5mcUvvuc9NZznj88GAQO8RX5j/2r2TuiE+9pvPZ7Q6Ld0DWN Q8dFbuQNyoCH0pnWRE9QBxKD8l2Dak5m7CdzFVEVoZ/rrv1ps/dVdJgk hwQd1TuIbzzpsSV774Vzz/YG3ApwmZzAuV3Hzrjl6lK7s9pDef/Mftn9 OYJTL//FwKjctKgn9CeIyPZ69Nz0J0jO

;; Query time: 4 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:51:16 EDT 2022
;; MSG SIZE  rcvd: 373

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +notcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +notcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3078
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7768d02997dd6ba6 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             287     IN      A       128.31.0.62
debian.org.             287     IN      A       130.89.148.77
debian.org.             287     IN      A       149.20.4.15

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:51:24 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +tcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +tcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15706
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 1b44a07d91b4e4fc (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             281     IN      A       128.31.0.62
debian.org.             281     IN      A       130.89.148.77
debian.org.             281     IN      A       149.20.4.15

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:51:30 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $

Pihole Service

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 debian.org
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8151
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 34399c138967f75c (echoed)
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:52:43 EDT 2022
;; MSG SIZE  rcvd: 57

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +dnssec debian.org
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 92a4693e6eaf3151 (echoed)
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:52:49 EDT 2022
;; MSG SIZE  rcvd: 57

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +notcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +notcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14684
;; flags: qr aa tc rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a2a117bd47db42d6 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             195     IN      A       128.31.0.62
debian.org.             195     IN      A       130.89.148.77
debian.org.             195     IN      A       149.20.4.15

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:52:56 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +tcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +tcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52800
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0076f55e87f856b4 (echoed)
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:53:06 EDT 2022
;; MSG SIZE  rcvd: 57

pi@raspbian-5:~ $

Jamar666 · April 29, 2022, 4:12am

changing cloudflared service to use cloudflare upstream, is slightly different when running a dig via pihole.

below is in same order as above:

CloudFlared Service - cloudflare upstream

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49455
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 6bc85c6e4217e75e (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             47      IN      A       149.20.4.15
debian.org.             47      IN      A       130.89.148.77
debian.org.             47      IN      A       128.31.0.62

;; Query time: 12 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:58:47 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +dnssec debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23067
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: efb5b20f50ae298f (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             41      IN      A       149.20.4.15
debian.org.             41      IN      A       130.89.148.77
debian.org.             41      IN      A       128.31.0.62
debian.org.             41      IN      RRSIG   A 8 2 300 20220530001838 20220419231838 27360 debian.org. VjvoC+gsfqRWMp+JC9CyGzm0uy6aQQNvwT16kq+GVDIMsfNt0rQ5cGFv M2wmHTJd5mcUvvuc9NZznj88GAQO8RX5j/2r2TuiE+9pvPZ7Q6Ld0DWN Q8dFbuQNyoCH0pnWRE9QBxKD8l2Dak5m7CdzFVEVoZ/rrv1ps/dVdJgk hwQd1TuIbzzpsSV774Vzz/YG3ApwmZzAuV3Hzrjl6lK7s9pDef/Mftn9 OYJTL//FwKjctKgn9CeIyPZ69Nz0J0jO

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:58:54 EDT 2022
;; MSG SIZE  rcvd: 373

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +notcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +notcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29922
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c5746fc00f03544c (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             35      IN      A       149.20.4.15
debian.org.             35      IN      A       130.89.148.77
debian.org.             35      IN      A       128.31.0.62

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:59:00 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +tcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +tcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54430
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e26514eba81507db (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             28      IN      A       149.20.4.15
debian.org.             28      IN      A       130.89.148.77
debian.org.             28      IN      A       128.31.0.62

;; Query time: 4 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Apr 28 23:59:07 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $

Pihole Service

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 debian.org
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58075
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 04d978a71631e1e8 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             15      IN      A       149.20.4.15
debian.org.             15      IN      A       130.89.148.77
debian.org.             15      IN      A       128.31.0.62

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:59:20 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +dnssec debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41558
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 88594afe82c9b487 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             9       IN      A       149.20.4.15
debian.org.             9       IN      A       130.89.148.77
debian.org.             9       IN      A       128.31.0.62
debian.org.             9       IN      RRSIG   A 8 2 300 20220530001838 20220419231838 27360 debian.org. VjvoC+gsfqRWMp+JC9CyGzm0uy6aQQNvwT16kq+GVDIMsfNt0rQ5cGFv M2wmHTJd5mcUvvuc9NZznj88GAQO8RX5j/2r2TuiE+9pvPZ7Q6Ld0DWN Q8dFbuQNyoCH0pnWRE9QBxKD8l2Dak5m7CdzFVEVoZ/rrv1ps/dVdJgk hwQd1TuIbzzpsSV774Vzz/YG3ApwmZzAuV3Hzrjl6lK7s9pDef/Mftn9 OYJTL//FwKjctKgn9CeIyPZ69Nz0J0jO

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:59:26 EDT 2022
;; MSG SIZE  rcvd: 373

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +notcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +notcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64431
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1fdc2ba4721c8327 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             299     IN      A       130.89.148.77
debian.org.             299     IN      A       149.20.4.15
debian.org.             299     IN      A       128.31.0.62

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:59:37 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +tcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +tcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32073
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             291     IN      A       128.31.0.62
debian.org.             291     IN      A       149.20.4.15
debian.org.             291     IN      A       130.89.148.77

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 28 23:59:45 EDT 2022
;; MSG SIZE  rcvd: 87

pi@raspbian-5:~ $

dig seems to work/resolve now - not sure if it is using cache though.

pi@raspbian-5:~ $ dig debian.org

; <<>> DiG 9.16.27-Debian <<>> debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57234
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             84      IN      A       130.89.148.77
debian.org.             84      IN      A       128.31.0.62
debian.org.             84      IN      A       149.20.4.15

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 29 00:03:12 EDT 2022
;; MSG SIZE  rcvd: 87

pi@raspbian-5:~ $

not exactly sure what the issue is, but i guess i can use cloudflare upstream as a work-around for now.

what other DOH service(s) do you suggest/recommend besides cloudflared?

currently i am setup as; pihole -> cloudflared with DOH

i was thinking of eventually trying to switching to; pihole + dnscrypt + DOH (or DOT).
thoughts, suggestions, recommended client(s) for dnscrypt + DOH/DOT ?

Jamar666 · April 29, 2022, 4:14am

so it must have been cached, running a fresh dig after some time, it is still ultimately truncated:

pi@raspbian-5:~ $ dig debian.org
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.16.27-Debian <<>> debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60326
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7ef7ae5978e6d483 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             300     IN      A       128.31.0.62
debian.org.             300     IN      A       130.89.148.77
debian.org.             300     IN      A       149.20.4.15

;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 29 00:12:49 EDT 2022
;; MSG SIZE  rcvd: 129

however, because it is able to get an answer, i am now able to check/update via apt again

Bucking_Horn · April 29, 2022, 10:41am

Truncation is normal, it happens routinely when a request becomes too large to fit in a single UDP packet as accepted by an upstream DNS (1232 bytes is the current recommend maximum for UDP).
It will require the client to send the request again via TCP, dividing it into multiple packets.
This is a normal DNS protocol procedure, which by itself would never cause a SERVFAIL.

However, your initial dig results contain an explicit cause for the SERVFAIL by supplying an Extended DNS Error (EDE) code:

Jamar666:

pi@raspbian-5:~ $ dig security.debian.org
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.16.27-Debian <<>> security.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61621
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 018d54057d8b9803 (echoed)
; EDE: 9 (DNSKEY Missing)

This would suggest that DNSSEC validation for the domain has failed, likely because there was no DNSKEY to match the DS record for validation (or, less likely, because Pi-hole's upstream failed to return it, possibly due to outdated cached entries for either record type).

Just a guess: As this seems to be working now, this may have been a genuine error in the DNS configuration for the requested domain, i.e. the domain admins may have adjusted DNSKEY and/or DS records in the meantime, so that DNSSEC validation can again succeed.

Jamar666 · April 29, 2022, 12:58pm

it doesn't seem like a dns admin issue, as it works fine from the cloudflared service when using both cloudflared and quad9 upstream, but fails from pihole.

none of the cloudflared digs have the truncated message and all digs return an answer.

however from pihole, depending which upstream my cloudflared is pointing to (quad9 or cloudflare), it returns a little differently. with the "working" scenario currently being when using cloudflare as the upstream.

it appears to possibly be something between pihole and cloudflared, but why specifically "debian.org" i have no idea.

i just tried again, and when switching back to quad9 upstream, it is still broken - no answers returned.

as i mentioned, it appears to only affect "debian.org" - all other browsing works fine, regardless of upstream.

below are the digs from this morning, which appear to be the same.

CloudFlared Service - quad9 upstream

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12198
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9bbd26246b7ec878 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             300     IN      A       128.31.0.62
debian.org.             300     IN      A       130.89.148.77
debian.org.             300     IN      A       149.20.4.15

;; Query time: 220 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Fri Apr 29 08:24:19 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +dnssec debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56266
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: cefd207b8d67c2ad (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             295     IN      A       128.31.0.62
debian.org.             295     IN      A       130.89.148.77
debian.org.             295     IN      A       149.20.4.15
debian.org.             295     IN      RRSIG   A 8 2 300 20220530001838 20220419231838 27360 debian.org. VjvoC+gsfqRWMp+JC9CyGzm0uy6aQQNvwT16kq+GVDIMsfNt0rQ5cGFv M2wmHTJd5mcUvvuc9NZznj88GAQO8RX5j/2r2TuiE+9pvPZ7Q6Ld0DWN Q8dFbuQNyoCH0pnWRE9QBxKD8l2Dak5m7CdzFVEVoZ/rrv1ps/dVdJgk hwQd1TuIbzzpsSV774Vzz/YG3ApwmZzAuV3Hzrjl6lK7s9pDef/Mftn9 OYJTL//FwKjctKgn9CeIyPZ69Nz0J0jO

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Fri Apr 29 08:24:24 EDT 2022
;; MSG SIZE  rcvd: 373

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +notcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +notcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40104
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f822aec6d57293e7 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             291     IN      A       128.31.0.62
debian.org.             291     IN      A       130.89.148.77
debian.org.             291     IN      A       149.20.4.15

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Fri Apr 29 08:24:29 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +tcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +tcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13602
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a47943477a296282 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             286     IN      A       128.31.0.62
debian.org.             286     IN      A       130.89.148.77
debian.org.             286     IN      A       149.20.4.15

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Fri Apr 29 08:24:34 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $

Pihole Service - cloudflared service upstream using quad9

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24695
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             132     IN      A       128.31.0.62
debian.org.             132     IN      A       149.20.4.15
debian.org.             132     IN      A       130.89.148.77

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 29 08:24:42 EDT 2022
;; MSG SIZE  rcvd: 87

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +dnssec debian.org
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21969
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 3a2f3ea308c9303c (echoed)
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 29 08:24:51 EDT 2022
;; MSG SIZE  rcvd: 57

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +notcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +notcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34838
;; flags: qr aa tc rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: e452c5460112aad1 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             262     IN      A       128.31.0.62
debian.org.             262     IN      A       130.89.148.77
debian.org.             262     IN      A       149.20.4.15

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 29 08:24:57 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +tcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +tcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41181
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1d48c7fd7d6821f5 (echoed)
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 29 08:25:03 EDT 2022
;; MSG SIZE  rcvd: 57

pi@raspbian-5:~ $

next set

CloudFlared Service - cloudflare upstream

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50078
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a39fd864563b6a22 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             300     IN      A       128.31.0.62
debian.org.             300     IN      A       130.89.148.77
debian.org.             300     IN      A       149.20.4.15

;; Query time: 76 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Fri Apr 29 08:52:34 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +dnssec debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6415
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: f4b9d8e2ebcb81ec (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             296     IN      A       128.31.0.62
debian.org.             296     IN      A       130.89.148.77
debian.org.             296     IN      A       149.20.4.15
debian.org.             296     IN      RRSIG   A 8 2 300 20220530001838 20220419231838 27360 debian.org. VjvoC+gsfqRWMp+JC9CyGzm0uy6aQQNvwT16kq+GVDIMsfNt0rQ5cGFv M2wmHTJd5mcUvvuc9NZznj88GAQO8RX5j/2r2TuiE+9pvPZ7Q6Ld0DWN Q8dFbuQNyoCH0pnWRE9QBxKD8l2Dak5m7CdzFVEVoZ/rrv1ps/dVdJgk hwQd1TuIbzzpsSV774Vzz/YG3ApwmZzAuV3Hzrjl6lK7s9pDef/Mftn9 OYJTL//FwKjctKgn9CeIyPZ69Nz0J0jO

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Fri Apr 29 08:52:39 EDT 2022
;; MSG SIZE  rcvd: 373

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +notcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +notcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45586
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0a56af6b4995c619 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             291     IN      A       128.31.0.62
debian.org.             291     IN      A       130.89.148.77
debian.org.             291     IN      A       149.20.4.15

;; Query time: 4 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Fri Apr 29 08:52:43 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 5053 +tcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 5053 +tcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21612
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: aa1f3ae6c39e7b72 (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             287     IN      A       128.31.0.62
debian.org.             287     IN      A       130.89.148.77
debian.org.             287     IN      A       149.20.4.15

;; Query time: 4 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Fri Apr 29 08:52:48 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $

Pihole Service - cloudflared service upstream using cloudflare

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 debian.org
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47995
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 47717554551a865e (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             265     IN      A       128.31.0.62
debian.org.             265     IN      A       130.89.148.77
debian.org.             265     IN      A       149.20.4.15

;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 29 08:53:10 EDT 2022
;; MSG SIZE  rcvd: 129

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +dnssec debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51563
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: e728df939363f58d (echoed)
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             260     IN      A       128.31.0.62
debian.org.             260     IN      A       130.89.148.77
debian.org.             260     IN      A       149.20.4.15
debian.org.             260     IN      RRSIG   A 8 2 300 20220530001838 20220419231838 27360 debian.org. VjvoC+gsfqRWMp+JC9CyGzm0uy6aQQNvwT16kq+GVDIMsfNt0rQ5cGFv M2wmHTJd5mcUvvuc9NZznj88GAQO8RX5j/2r2TuiE+9pvPZ7Q6Ld0DWN Q8dFbuQNyoCH0pnWRE9QBxKD8l2Dak5m7CdzFVEVoZ/rrv1ps/dVdJgk hwQd1TuIbzzpsSV774Vzz/YG3ApwmZzAuV3Hzrjl6lK7s9pDef/Mftn9 OYJTL//FwKjctKgn9CeIyPZ69Nz0J0jO

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 29 08:53:15 EDT 2022
;; MSG SIZE  rcvd: 373

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +notcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +notcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9453
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             256     IN      A       149.20.4.15
debian.org.             256     IN      A       130.89.148.77
debian.org.             256     IN      A       128.31.0.62

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 29 08:53:19 EDT 2022
;; MSG SIZE  rcvd: 87

pi@raspbian-5:~ $ dig @127.0.0.1 -p 53 +tcp +ignore debian.org

; <<>> DiG 9.16.27-Debian <<>> @127.0.0.1 -p 53 +tcp +ignore debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53487
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;debian.org.                    IN      A

;; ANSWER SECTION:
debian.org.             251     IN      A       128.31.0.62
debian.org.             251     IN      A       149.20.4.15
debian.org.             251     IN      A       130.89.148.77

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 29 08:53:24 EDT 2022
;; MSG SIZE  rcvd: 87

pi@raspbian-5:~ $

Bucking_Horn · April 29, 2022, 2:13pm

If dns-utils or bind9-dnsutils are installed, the Domain Entity Lookup and Validation tool delv may provide more insights into why DNSSEC validation fails, e.g. try something like:

delv @127.0.0.1 -p 53 +rtrace +multiline security.debian.org

Jamar666 · April 29, 2022, 11:41pm

thanks for the command!

i don't know what might have changed, or possibly been updated upstream somewhere perhaps? but using quad9 with cloudflare seems to be okay again with "debian.org". so thats good, but i dunno what may have caused it, and specifically that domain - everything else seemed fine.\

in any case, when it was "broken", heres the output from that command:

pi@raspbian-5:~ $ delv @127.0.0.1 -p 53 +rtrace +multiline security.debian.org
;; fetch: security.debian.org/A
;; resolution failed: SERVFAIL
pi@raspbian-5:~ $ 
pi@raspbian-5:~ $ delv @127.0.0.1 -p 5053 +rtrace +multiline security.debian.org
;; fetch: security.debian.org/A
;; fetch: debian.org/DNSKEY
;; fetch: debian.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
security.debian.org.    290 IN A 151.101.2.132
security.debian.org.    290 IN A 151.101.66.132
security.debian.org.    290 IN A 151.101.130.132
security.debian.org.    290 IN A 151.101.194.132
security.debian.org.    290 IN RRSIG A 8 3 300 (
                                20220607214510 20220428212621 27360 debian.org.
                                I5JBJNCXRstsSvXONiBT1q2nF5ypj640wNOxKCfdr0j6
                                k1oxgrnWbPz1/IY2Otmc9mgF9yauQSMuhrY2U/LNDoYm
                                yCA8vGIJivp7cHBnqBgZwBg5QVsxeC9WAw+oI0StiMRK
                                ffhJQjtL7ZjKjsRazDVt+wwCToMMb4HVXfZfOwzSL4Y0
                                Ey6smVOCKoIHory0rrNmAHJFR2bPseKkuhXPujedvvSa
                                b9mgikHmvebqRJyiG36FyZfgjqxylmTovik3 )
pi@raspbian-5:~ $

and here when working, which is the same as above when against cloudflare itself

pi@raspbian-5:~ $ delv @127.0.0.1 -p 53 +rtrace +multiline security.debian.org
;; fetch: security.debian.org/A
;; fetch: debian.org/DNSKEY
;; fetch: debian.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
security.debian.org.    300 IN A 151.101.2.132
security.debian.org.    300 IN A 151.101.66.132
security.debian.org.    300 IN A 151.101.130.132
security.debian.org.    300 IN A 151.101.194.132
security.debian.org.    300 IN RRSIG A 8 3 300 (
                                20220607214510 20220428212621 27360 debian.org.
                                I5JBJNCXRstsSvXONiBT1q2nF5ypj640wNOxKCfdr0j6
                                k1oxgrnWbPz1/IY2Otmc9mgF9yauQSMuhrY2U/LNDoYm
                                yCA8vGIJivp7cHBnqBgZwBg5QVsxeC9WAw+oI0StiMRK
                                ffhJQjtL7ZjKjsRazDVt+wwCToMMb4HVXfZfOwzSL4Y0
                                Ey6smVOCKoIHory0rrNmAHJFR2bPseKkuhXPujedvvSa
                                b9mgikHmvebqRJyiG36FyZfgjqxylmTovik3 )
pi@raspbian-5:~ $ delv @127.0.0.1 -p 5053 +rtrace +multiline security.debian.org
;; fetch: security.debian.org/A
;; fetch: debian.org/DNSKEY
;; fetch: debian.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
security.debian.org.    280 IN A 151.101.2.132
security.debian.org.    280 IN A 151.101.66.132
security.debian.org.    280 IN A 151.101.130.132
security.debian.org.    280 IN A 151.101.194.132
security.debian.org.    280 IN RRSIG A 8 3 300 (
                                20220607214510 20220428212621 27360 debian.org.
                                I5JBJNCXRstsSvXONiBT1q2nF5ypj640wNOxKCfdr0j6
                                k1oxgrnWbPz1/IY2Otmc9mgF9yauQSMuhrY2U/LNDoYm
                                yCA8vGIJivp7cHBnqBgZwBg5QVsxeC9WAw+oI0StiMRK
                                ffhJQjtL7ZjKjsRazDVt+wwCToMMb4HVXfZfOwzSL4Y0
                                Ey6smVOCKoIHory0rrNmAHJFR2bPseKkuhXPujedvvSa
                                b9mgikHmvebqRJyiG36FyZfgjqxylmTovik3 )
pi@raspbian-5:~ $

i'll wait and report back should it re-appear

system · May 20, 2022, 11:41pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.