SERVFAIL on (email) TLSA test gives as a result that there is no TLSA record present

[mdavids]

https://internet.nl/mail/sidn.nl/1361430/#control-panel-27

Saying that 'no' TLSA is existent while in fact there was a SERVFAIL, might be too optimistic?

 dig @8.8.8.8 TLSA _25._tcp.sidn-nl.mail.protection.outlook.com

; <<>> DiG 9.20.3 <<>> @8.8.8.8 TLSA _25._tcp.sidn-nl.mail.protection.outlook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5868
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 23 (Network Error): ([104.47.72.81] rcode=NOTIMP for _25._tcp.sidn-nl.mail.protection.outlook.com/tlsa)
; EDE: 23 (Network Error): ([104.47.34.17] rcode=NOTIMP for _25._tcp.sidn-nl.mail.protection.outlook.com/tlsa)
; EDE: 22 (No Reachable Authority): (At delegation mail.protection.outlook.com for _25._tcp.sidn-nl.mail.protection.outlook.com/tlsa)
;; QUESTION SECTION:
;_25._tcp.sidn-nl.mail.protection.outlook.com. IN TLSA

;; Query time: 28 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Fri Oct 18 14:07:12 UTC 2024
;; MSG SIZE  rcvd: 348

[bwbroersma]

The error is not consistent on all public resolvers, Cloudflare DNS returns a NXDOMAIN:

$ dig @1.1.1.1 TLSA _25._tcp.sidn-nl.mail.protection.outlook.com

; <<>> DiG 9.16.50-Debian <<>> @1.1.1.1 TLSA _25._tcp.sidn-nl.mail.protection.outlook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27737
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_25._tcp.sidn-nl.mail.protection.outlook.com. IN TLSA

;; Query time: 27 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Nov 12 16:19:43 CET 2024
;; MSG SIZE  rcvd: 73

Quad9 does give a SERVFAIL (note the EDE 22 is not always included).
Note Google DNS always shows EDE 22, together with one or 2 EDE 23's.

Here is the DNSViz.
Unbound agrees:

$ unbound-host -C /resolver/resolver-permissive.conf -t TLSA _25._tcp.sidn-nl.mail.protection.outlook.com     
Host _25._tcp.sidn-nl.mail.protection.outlook.com not found: 2(SERVFAIL).

Running unbound-host -ddd shows this issue:

info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOTIMPL, id: 0
;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
_25._tcp.sidn-nl.mail.protection.outlook.com.   IN  TLSA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
;; MSG SIZE  rcvd: 62

So there is an EDNS FORMERR issue & a NOTIMP issue:

$ dig +norec @ns1-proddns.glbdns.protection.outlook.com. TLSA _25._tcp.sidn-nl.mail.protection.outlook.com

; <<>> DiG 9.16.50-Debian <<>> +norec @ns1-proddns.glbdns.protection.outlook.com. TLSA _25._tcp.sidn-nl.mail.protection.outlook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 48420
;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; WARNING: EDNS query returned status FORMERR - retry with '+noedns'

;; Query time: 23 msec
;; SERVER: 104.47.34.49#53(104.47.34.49)
;; WHEN: Tue Nov 12 16:49:02 CET 2024
;; MSG SIZE  rcvd: 12

$ dig +norec +noedns @ns1-proddns.glbdns.protection.outlook.com. TLSA _25._tcp.sidn-nl.mail.protection.outlook.com

; <<>> DiG 9.16.50-Debian <<>> +norec +noedns @ns1-proddns.glbdns.protection.outlook.com. TLSA _25._tcp.sidn-nl.mail.protection.outlook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 10574
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_25._tcp.sidn-nl.mail.protection.outlook.com. IN TLSA

;; Query time: 135 msec
;; SERVER: 104.47.118.145#53(104.47.118.145)
;; WHEN: Tue Nov 12 16:49:14 CET 2024
;; MSG SIZE  rcvd: 62

And this is in violation with RFC 8906 (BPC 231) - A Common Operational Problem in DNS Servers: Failure to Communicate - § 3.1.2. Unknown/Unsupported Type Queries?