Website unavailable due to lack of DNSSEC #5331
Comments
MJDSys
added
Status: Triage
|
DNSSEC is not supported by Netlify. https://answers.netlify.com/t/dnssec-support-on-netlify/3360/48 |
sidharthv96
added
P1
and removed
Status: Triage
|
@sidharthv96 I investigated this further, it might be a bug in the dns resolver on my end. Let me track this down and make sure it's a global issue. I'll get back to you soon. |
|
@MJDSys did you figure out where the issue is? |
|
Hi @sidharthv96 , sorry for the delay it took me a little more research to understand what's going on. The good news is you don't need the domain to have DNSSEC enabled. I misunderstood the standard and assumed my DNS resolver was giving errors because of it. The underlying problem seems to come from systemd-resolved and your use of CNAME records. If systemd-resolved sees a CNAME record for a delegated domain, it assumes the domain is not delegated (which may be a correct assumption? That's not clear to me without reading the various RFCs). This causes systemd-resolved to assume mermaid.js.org should be signed by js.org, which it isn't and thus fails. A similar situation occurs with Duck Duck Go, and there is a bug report against systemd here: systemd/systemd#31484 . If you don't mind, I believe the issue can be resolved by this project by following the guide for apex domains from Github ( https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/managing-a-custom-domain-for-your-github-pages-site#configuring-an-apex-domain ). This would avoid the CNAME record and fix the issue. Sorry for raising the original concern, I was worried the problem was more widespread. I didn't mean to cause unnecessary panic. |
|
I get this error with dnsmasq as well when dnssec validation is enabled, but duckduckgo.com resolves fine. It seems that it hits broader than just systemd-resolved. |
|
Don't know if it's the same thing, but standard access on a windows desktop, nothing special being used. Latest version of edge browser and:
I CAN occasionally get pages to load from the site if I'm persistent, but it's very hit & miss, I can for example get one doc page up, then 10 minutes later, click on another in the left menu, and usually I'll get a "404" error page, but then when I click back, I'll get that DNS error again, and nothing works. I did a brief look up on the domain using "MX toolbox" and in the "Find Problems" tool, it reckons that the DNS records serial ID (Which is used for cache invalidation and timing) is invalid and outside acceptable range. Don't know if any of that helps. Addendum: I tried this in an old version of Opera (V40) (that I keep around for debugging and programming my HTML based Smart TV) and this is what it comes back with:
and just as I was looking in my DNS logs, to see if there where any errors I could report to you.... Class Diagrams page, loaded and rendered with no issue:
|
|
I opened an issue on systemd for this and it was closed because it needs to be fixed by the domain owner. There's some additional information available over there. The DNSviz contains a lot of information that might help. It seems to be an issue with the CNAME that points mermaid.js.org to mermaid-js.github.io |
Description
Due to js.org enabling DNSSEC, the mermaid.js.org domain name cannot be resolved if a DNSSEC validating resolver is being used. This cause the website/email/etc to be unavailable. As this may be implemented at the ISP level, this may cause the website to be unavailable with little recourse for many people.
I realize that this is complicated by the interaction between js.org project and the mermaid project, so I understand if it will take some time to resolve, but I wanted to raise awareness here so the process can begin :)
Steps to reproduce
Screenshots
No response
Code Sample
No response
Setup
No response
Suggested Solutions
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: