Strange "Invalid DNSSEC signatures" received from widely used public DNS servers

[jean-christophe-manciot]

Output of the following commands:

./dnscrypt-proxy -version

2.1.1

./dnscrypt-proxy -check

[2022-06-18 18:08:59] [NOTICE] dnscrypt-proxy 2.1.1
[2022-06-18 18:08:59] [NOTICE] Source [public-resolvers] loaded
[2022-06-18 18:08:59] [NOTICE] Source [relays] loaded
[2022-06-18 18:08:59] [NOTICE] Configuration successfully checked

./dnscrypt-proxy -resolve example.com

Resolving [example.com] using 127.0.0.1 port 53

Resolver      : 108.162.228.202

Canonical name: example.com.

IPv4 addresses: 93.184.216.34
IPv6 addresses: 2606:2800:220:1:248:1893:25c8:1946

Name servers  : a.iana-servers.net., b.iana-servers.net.
DNSSEC signed : yes
Mail servers  : 1 mail servers found

HTTPS alias   : -
HTTPS info    : -

Host info     : -
TXT records   : v=spf1 -all, wgyf8z8cgvm2qmxpnbnldrcltvk4xqfn

What is affected by this bug?

?

When does this occur?

sporadically

Where does it happen?

paris, france

How do we replicate the issue?

Ubuntu jammy
ISP not supporting IPv6.
dnscrypt-proxy.toml:

server_names = ['quad9-doh-ip4-port443-filter-pri', 'scaleway-fr', 'cloudflare-security']
...
require_dnssec = true

# Server must not log user queries (declarative)
require_nolog = true

# Server must not enforce its own blocklist (for parental control, ads blocking...)
require_nofilter = false
...

Suddenly, some servers experience loss of connectivity with some strange Updating stamp:

[2022-06-18 17:41:12] [NOTICE] dnscrypt-proxy 2.1.1
[2022-06-18 17:41:12] [NOTICE] Network connectivity detected
[2022-06-18 17:41:12] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2022-06-18 17:41:12] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
...
[2022-06-18 17:41:12] [NOTICE] Source [public-resolvers] loaded
[2022-06-18 17:41:12] [NOTICE] Source [relays] loaded
[2022-06-18 17:41:12] [NOTICE] Firefox workaround initialized
[2022-06-18 17:41:12] [NOTICE] Loading the set of blocking rules from [blocked-names.txt]
[2022-06-18 17:41:12] [INFO] [quad9-doh-ip4-port443-filter-pri] TLS version: 304 - Protocol: h2 - Cipher suite: 4866
[2022-06-18 17:41:12] [NOTICE] [quad9-doh-ip4-port443-filter-pri] OK (DoH) - rtt: 8ms
[2022-06-18 17:41:12] [INFO] [cloudflare-security] TLS version: 304 - Protocol: h2 - Cipher suite: 4865
[2022-06-18 17:41:12] [NOTICE] [cloudflare-security] OK (DoH) - rtt: 9ms
[2022-06-18 17:41:17] [NOTICE] [scaleway-fr] TIMEOUT
[2022-06-18 17:41:17] [NOTICE] Sorted latencies:
[2022-06-18 17:41:17] [NOTICE] -     8ms quad9-doh-ip4-port443-filter-pri
[2022-06-18 17:41:17] [NOTICE] -     9ms cloudflare-security
[2022-06-18 17:41:17] [NOTICE] Server with the lowest initial latency: quad9-doh-ip4-port443-filter-pri (rtt: 8ms)
[2022-06-18 17:41:17] [NOTICE] dnscrypt-proxy is ready - live servers: 2
[2022-06-18 17:46:55] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 17:46:55] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 17:50:42] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 17:51:17] [INFO] Updating stamp for [quad9-doh-ip4-port443-filter-pri] was: sdns://AgMAAAAAAAAABzkuOS45LjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk now: sdns://AgMAAAAAAAAADzE0OS4xMTIuMTEyLjExMiAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihFkbnMucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
[2022-06-18 17:59:58] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 17:59:58] [INFO] Server [quad9-doh-ip4-port443-filter-pri] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 17:59:58] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 17:59:58] [INFO] Server [quad9-doh-ip4-port443-filter-pri] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:01:03] [INFO] Server [quad9-doh-ip4-port443-filter-pri] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:01:07] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:01:07] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:01:07] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:01:17] [INFO] Updating stamp for [quad9-doh-ip4-port443-filter-pri] was: sdns://AgMAAAAAAAAADzE0OS4xMTIuMTEyLjExMiAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihFkbnMucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5 now: sdns://AgMAAAAAAAAADTE0OS4xMTIuMTEyLjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk
[2022-06-18 18:02:29] [INFO] Server [quad9-doh-ip4-port443-filter-pri] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:02:33] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:02:54] [INFO] Server [quad9-doh-ip4-port443-filter-pri] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:02:58] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:02:58] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:02:58] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:04:37] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:04:37] [INFO] Server [quad9-doh-ip4-port443-filter-pri] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:04:37] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:04:37] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:06:34] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues
[2022-06-18 18:06:34] [INFO] Server [cloudflare-security] returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues

Other Comments

I don't experience any issue pinging them:

# cloudflare-security
$ ping 1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=58 time=6.10 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=58 time=5.70 ms
64 bytes from 1.1.1.2: icmp_seq=3 ttl=58 time=5.62 ms

# scaleway-fr
$ ping 212.47.228.136
PING 212.47.228.136 (212.47.228.136) 56(84) bytes of data.
64 bytes from 212.47.228.136: icmp_seq=1 ttl=51 time=5.91 ms
64 bytes from 212.47.228.136: icmp_seq=2 ttl=51 time=5.57 ms
64 bytes from 212.47.228.136: icmp_seq=3 ttl=51 time=5.43 ms

# quad9-doh-ip4-port443-filter-pri
$ ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
64 bytes from 9.9.9.9: icmp_seq=1 ttl=58 time=4.77 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=58 time=4.75 ms
64 bytes from 9.9.9.9: icmp_seq=3 ttl=58 time=4.84 ms

And I find it very hard to believe that suddenly all those widely used DNS servers return invalid DNSSEC signatures.
Either:

• there is an issue with DCP. like timeout(s) which is/are too stringent to make it conclude too quickly that that the servers are experiencing connectivity issues.
• or there are ongoing DDOS attacks on those servers which is plausible given the current context.

Is someone experiencing the same situation?

[jean-christophe-manciot]

It seems that there is a round-robin selection of all three dnssec servers defined for , so I guess that's the meaning of the Updating stamp.

[jean-christophe-manciot]

I confirm that scaleway-fr is experiencing some DNS issue, but I can contact the 2 others without any issue:

$  dig @212.47.228.136 +nocmd any +multiline +answer google.fr
;; Connection to 212.47.228.136#53(212.47.228.136) for google.fr failed: connection refused.
;; Connection to 212.47.228.136#53(212.47.228.136) for google.fr failed: connection refused.
;; Connection to 212.47.228.136#53(212.47.228.136) for google.fr failed: connection refused.

$ dig @1.1.1.2 +nocmd any +multiline +answer google.fr
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 7456
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.fr.		IN ANY

;; Query time: 8 msec
;; SERVER: 1.1.1.2#53(1.1.1.2) (TCP)
;; WHEN: Sat Jun 18 18:42:01 CEST 2022
;; MSG SIZE  rcvd: 38

$ dig @9.9.9.9 +nocmd any +multiline +answer google.fr
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21074
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.fr.		IN ANY

;; ANSWER SECTION:
google.fr.		297 IN A 142.250.185.131
google.fr.		21641 IN NS ns3.google.com.
google.fr.		21641 IN NS ns2.google.com.
google.fr.		21641 IN NS ns1.google.com.
google.fr.		21641 IN NS ns4.google.com.

;; Query time: 4 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP)
;; WHEN: Sat Jun 18 18:42:22 CEST 2022
;; MSG SIZE  rcvd: 136

[jean-christophe-manciot]

Maybe I misinterpreted the meaning of Invalid DNSSEC signature received:

• is it the DNSSEC signature of some domain (not appearing in the log) for which we request its IP address?
• or is it the DNSSEC signature of the contacted DNS server itself?

[jedisct1]

Server returned temporary error code SERVFAIL -- Invalid DNSSEC signature received or server may be experiencing connectivity issues

You sent a query, and the server responded with a SERVFAIL error code.

dnscrypt-proxy forwards that response as-is, with received same error code.

There are two main reason for a server to respond with that error code. Either it tried to resolve the query, but upstream servers with the data were not reachable at that time. Or they were, but the response had DNSSEC signatures that were invalid.

Check the query log to see what domain names are causing this. Then a tool such as https://zonemaster.net/domain_check can tell you more about what configuration issue these domain names are experiencing.

[jean-christophe-manciot]

The query.log is very instructive:

...
[2022-06-18 19:10:13]	::1	140.222.97.209.in-addr.arpa	PTR	PASS	10ms	cloudflare-security
[2022-06-18 19:10:15]	127.0.0.1	ssl.gstatic.com	AAAA	PASS	0ms	-
[2022-06-18 19:10:15]	127.0.0.1	ssl.gstatic.com	A	PASS	0ms	-
[2022-06-18 19:10:18]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	4252ms	cloudflare-security
[2022-06-18 19:10:18]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	17ms	cloudflare-security
[2022-06-18 19:10:18]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	10ms	cloudflare-security
[2022-06-18 19:10:18]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	15ms	cloudflare-security
[2022-06-18 19:10:18]	127.0.0.1	23.100.233.185.in-addr.arpa	PTR	PASS	17ms	cloudflare-security
[2022-06-18 19:10:18]	127.0.0.1	18.55.20.178.in-addr.arpa	PTR	PASS	11ms	cloudflare-security
[2022-06-18 19:10:18]	127.0.0.1	254.157.234.89.in-addr.arpa	PTR	PASS	12ms	cloudflare-security
[2022-06-18 19:10:18]	127.0.0.1	139.87.172.163.in-addr.arpa	PTR	PASS	12ms	cloudflare-security
[2022-06-18 19:10:18]	127.0.0.1	16.55.20.178.in-addr.arpa	PTR	PASS	25ms	cloudflare-security
[2022-06-18 19:10:18]	127.0.0.1	44.101.220.185.in-addr.arpa	PTR	PASS	12ms	cloudflare-security
[2022-06-18 19:10:19]	127.0.0.1	162.172.67.80.in-addr.arpa	PTR	PASS	14ms	cloudflare-security
[2022-06-18 19:10:19]	127.0.0.1	63.161.142.95.in-addr.arpa	PTR	PASS	27ms	cloudflare-security
[2022-06-18 19:10:19]	127.0.0.1	33.104.16.212.in-addr.arpa	PTR	NXDOMAIN	171ms	cloudflare-security
[2022-06-18 19:10:19]	127.0.0.1	162.108.36.54.in-addr.arpa	PTR	PASS	10ms	cloudflare-security
[2022-06-18 19:10:19]	127.0.0.1	204.238.202.149.in-addr.arpa	PTR	PASS	27ms	cloudflare-security
[2022-06-18 19:10:21]	127.0.0.1	signaler-pa.clients6.google.com	AAAA	PASS	89ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:10:21]	127.0.0.1	signaler-pa.clients6.google.com	A	PASS	89ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:10:25]	127.0.0.1	123.229.66.155.in-addr.arpa	PTR	NXDOMAIN	125ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:10:25]	127.0.0.1	158.154.22.5.in-addr.arpa	PTR	PASS	110ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:10:25]	127.0.0.1	63.98.184.92.in-addr.arpa	PTR	PASS	13ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:10:25]	127.0.0.1	184.102.184.92.in-addr.arpa	PTR	PASS	13ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:10:25]	127.0.0.1	13.104.184.92.in-addr.arpa	PTR	PASS	316ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:10:26]	127.0.0.1	236.136.252.82.in-addr.arpa	PTR	PASS	11ms	quad9-doh-ip4-port443-filter-pri
...

DCP continues to try to access cloudflare-security with its 248.26.22.195.in-addr.arpa request despite the SERVFAIL response, instead of trying the other active quad9-doh-ip4-port443-filter-pri DNS server.
Why is that?

[jean-christophe-manciot]

Same issue later on with the other server:

[2022-06-18 19:15:12]	127.0.0.1	clients4.google.com	A	PASS	8ms	cloudflare-security
[2022-06-18 19:15:12]	127.0.0.1	clients4.google.com	AAAA	PASS	11ms	cloudflare-security
[2022-06-18 19:18:49]	::1	168.106.139.176.in-addr.arpa	PTR	PASS	0ms	-
[2022-06-18 19:18:53]	127.0.0.1	github.com	A	PASS	0ms	-
[2022-06-18 19:18:53]	127.0.0.1	github.com	AAAA	PASS	0ms	-
[2022-06-18 19:18:55]	::1	3.112.82.140.in-addr.arpa	PTR	PASS	0ms	-
[2022-06-18 19:18:55]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	68ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:18:55]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	7ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:18:55]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	7ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:18:55]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	7ms	quad9-doh-ip4-port443-filter-pri
[2022-06-18 19:18:56]	127.0.0.1	23.100.233.185.in-addr.arpa	PTR	PASS	0ms	-
...

[jean-christophe-manciot]

Also, I do not see any DS/DNSKEY records requests despite require_dnssec = true.

[jean-christophe-manciot]

@jedisct1

• any thoughts about the latest posts?
• should we definitely remove scaleway-fr from the list of potential servers?

[jedisct1]

$ dig PTR 248.26.22.195.in-addr.arpa @4.2.2.2
;; connection timed out; no servers could be reached

$ dig PTR 248.26.22.195.in-addr.arpa @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31552
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

248.26.22.195.in-addr.arpa authoritative data is supposed to be served by ns11.anubisnetworks.net., ns12.anubisnetworks.net. and ns13.anubisnetworks.net. but none of these servers respond to queries for that zone.
This is a configuration error on their end.

[jean-christophe-manciot]

@jedisct1
You're missing the point, which is that sometimes DCP does not even try the other reachable server(s) defined in server_names.

[jedisct1]

The proxy got the correct response from the server, even if it has a SERVFAIL code. There's no need to ask the same question to a different server, which is likely to return the same response.

That being said, a SERVFAIL response gives the server a penalty, so if it happens to be a connectivity issue, these penalties will keep piling up, it will eventually have a low probability of being used, like slow response times do.

[jean-christophe-manciot]

@jedisct1
So why this?

[2022-06-19 12:32:46]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	58ms	quad9-doh-ip4-port443-filter-pri
[2022-06-19 12:32:46]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	10ms	scaleway-fr
[2022-06-19 12:32:50]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	4095ms	cloudflare-security
[2022-06-19 12:32:50]	127.0.0.1	248.26.22.195.in-addr.arpa	PTR	SERVFAIL	10ms	cloudflare-security

[jedisct1]

See https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Load-Balancing-Options for a description of how load balancing works.

[jean-christophe-manciot]

@jedisct1

lb_strategy is not specified in /etc/dnscrypt-proxy.toml, so lb_strategy = 'p2' is supposed to be used.
"The default strategy is p2 so dnscrypt-proxy will pick one of the two fastest servers".

1. for this post, only one server out of 2 has been tried.

[2022-06-18 18:49:39] [NOTICE] Sorted latencies:
[2022-06-18 18:49:39] [NOTICE] -     7ms quad9-doh-ip4-port443-filter-pri
[2022-06-18 18:49:39] [NOTICE] -    13ms cloudflare-security

2. for this post, 3 servers out of 3 have been tried.

[2022-06-19 12:10:18] [NOTICE] Sorted latencies:
[2022-06-19 12:10:18] [NOTICE] -     5ms quad9-doh-ip4-port443-filter-pri
[2022-06-19 12:10:18] [NOTICE] -     9ms cloudflare-security
[2022-06-19 12:10:18] [NOTICE] -    17ms scaleway-fr

Now, nothing is said in your Load Balancing Options page about the strategy implemented when the chosen server returns a SERVFAIL.

Tthis answer could mean for DCP:

• Invalid DNSSEC signature received
• OR server may be experiencing connectivity issues

DCP cannot determine with certainty which one is the cause for this error, so the correct behavior would be to try the next best available server, until one server among all reachable servers answers something else than SERVFAIL
This has been correctly tried in 2) but not in 1).

You cannot have both behaviors.

[jedisct1]

It is a very decent strategy. https://www.eecs.harvard.edu/~michaelm/postscripts/handbook2001.pdf

[ghost]

@jean-christophe-manciot
No, I'm not sarcastic, just unhappy with the algorithm.
I have no clue why it was chosen that way but it can certainly be fixed. It's just that someone needs to actually do it.

@jedisct1
I haven't read the pdf yet but I'm aware of this principle. However I'm not aware of it being used anywhere in DNSCrypt, especially not for load balancing. There are conditions to be met to make this work which aren't fullfilled in the load balancing code as far as I know. (Well, obviously the two fastest servers aren't randomly chosen to begin with. One only chooses one random server from these two.)

edit:
Done reading. Yes that's the power of two random choices as I know it. One would need to choose two random servers out of all servers and then choose the faster one. This is not implemented in DNSCrypt.
The problem is that we assume that only a few servers are fast and most are slow. In this case we would often choose unnecessary slow ones using this principle. Also the servers are sorted by speed and we would throw away this information instead of making use of it.

[jean-christophe-manciot]

@jedisct1
In this situation, any random algorithm to deal with SERVFAIL is not decent: if it happens that a single server is repeatedly chosen (as was shown could happen) to try to fulfill a request, and if there is another server which has a non-SERVFAIL answer, the DNS request will fail for no reason and it is something that I have experienced in my browser several times.

I can see several cases involving a failed answer:

1. a server from server_names becomes suddenly unreachable ==> another one must obviously be tried
2. the authoritative server contacted by a server from server_names is unreachable and the latter returns a SERVFAIL ==> another one should be tried because there can be some temporary network issue between the first two and this situation is impossible for DCP to determine definitely
3. the authoritative server contacted by a server from server_names returns a DNSSEC-signed response that doesn't verify and the latter answers with a SERVFAIL ==> another one should NOT be tried as it seems fair to consider that another server would discover the same DNSSEC-signed response as incorrect

I find it very surprising that a server would return the same SERVFAIL for two very different situations, making DCP unable to distinguish between them and unable to take 2 different actions.

As a conclusion, unless DCP finds a way to distinguish between the 2, DCP must try another server from server_names in all 3 failed situations. And any random algorithm should have nothing to do with it.

It may have something to do with some of the LB algorithms though, namely the p2, ph and random, but it shoud never be used when something goes wrong, i.e when one of the 3 failed situations happens.

@livingentity
Thanks so much for bringing that up.
You're saying that the algorithm from the PDF is not and should not be implemented, right?
Is there a way to distinguish between the 2 different sorts of SERVFAIL?

[jedisct1]

SERVFAIL IS A VALID RESPONSE IT DOESN'T MEAN THAT THE DOH/ODOH/DNSCRYPT SERVER EXPERIENCED A FAILURE.

The log message needs to be changed not to mentionSERVFAIL as it is confusing.

[ghost]

@jean-christophe-manciot
I just meant that the algorithm from the PDF isn't implemented. It is fine in general. I'll run some simulations comparing it to the current implementation.

[jedisct1]

Once again, SERVFAIL doesn't mean that the server itself was unreachable, didn't respond or returned something that didn't decrypt properly. It's a valid response a perfectly healthy server can send. As explained earlier, querying the authoritative server directly doesn't return anything, so the proper thing for the resolver to do is return SERVFAIL. The same thing happens if the resolver receives a DNSSEC-signed response that doesn't verify. It sending a SERVFAIL response actually means that the resolver+DoH/ODoH/DNSCrypt frontend work as expected.

[lifenjoiner]

Some of my thoughts:

One would need to choose two random servers out of all servers and then choose the faster one. This is not implemented in DNSCrypt.

I think here we made a variant: the servers are ranked, so we don't pick the better 1 from 2 totally randoms.

Let's review the whole model:

1. the ranking is made by a new estimation for a next cert_refresh_delay minutes, and cert_refresh_delay = 240 is default;
2. we choose 1 of the best n;
3. estimatorUpdate gives a 2nd chance to the non-best-n servers when the best n have gone bad (by EWMA of the last 10 queries), meaning we pick the better 1 from 2 sets.

If the stability (fast or slow) of all servers are:

• high, the ranking would be reliable;
• medium, cert_refresh_delay is the switch to decrease;
• poor, is there a better strategy to give better result?

SERVFAIL
Definition (RCODE = 2):
https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.1
It does cover several reasons on server side. You can search this.

I know some other DNS proxy has an option BlockNegativeResponse. If it is on and there is a SERVFAIL, client can retry (maybe onto another server). But it is not a cure. :p

So, you can see there is Proposed standard rfc8914 ...

[jean-christophe-manciot]

@lifenjoiner
Thanks a lot for bringing up the standards.

• RFC1035: Server failure - The name server was unable to process this query due to a problem with the name server.
• RFC 8914:
  • There are many reasons that a DNS query may fail -- some of them transient, some permanent; some can be resolved by querying another server, some are likely best handled by stopping resolution....the stub resolver's only option [with RFC 1035] is to ask the next configured DNS resolver.
  • This document specifies a mechanism to extend DNS errors to provide additional information about the cause of an error. The Extended DNS Error codes described in this document can be used by any system that sends DNS queries and receives a response containing an EDE option. Different codes are useful in different circumstances, and thus different systems (stub resolvers, recursive resolvers, and authoritative resolvers) might receive and use them

This is perfect :-). I know that it will take some time until all DNS resolvers support it, but we can expect the major ones (QUAD9, cloudflare, Google....) to support it soon enough; maybe they already do.
RFC 8914 sounds like a perfect plan as a foundation to replace the current random algorithm used to deal with failures by a decent one.