They seem to be using extremely short-lived signatures, probably created by an online-signer.
$ dig +short ns slack.com ns-1493.awsdns-58.org. ns-166.awsdns-20.com. ns-1901.awsdns-45.co.uk. ns-606.awsdns-11.net. $ TZ=UTC dig @ns-1493.awsdns-58.org. +norec +dnssec +multiline +nocrypto slack.com ; <<>> DiG 9.18.24 <<>> @ns-1493.awsdns-58.org. +norec +dnssec +multiline +nocrypto slack.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8196 ;; flags: qr aa ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;slack.com. IN A ;; ANSWER SECTION: slack.com. 60 IN A 18.134.215.41 slack.com. 60 IN A 18.169.120.191 slack.com. 60 IN A 18.168.172.238 slack.com. 60 IN A 18.169.61.189 slack.com. 60 IN RRSIG A 13 2 60 ( 20240318194315 20240318174215 8040 slack.com. [omitted] ) ;; Query time: 44 msec ;; SERVER: 2600:9000:5305:d500::1#53(ns-1493.awsdns-58.org.) (UDP) ;; WHEN: Mon Mar 18 18:42:15 UTC 2024 ;; MSG SIZE rcvd: 207 The signature is only valid for an hour. Wild guess, your time is off. On 2024-03-18 19:20 +01, Evan Sherwood <nee...@ton618.org> wrote: > I have an unbound server using Quad9 as an upstream DNS provider. I have > been unable to resolve records from slack.com recently using my local > unbound. > > On the server: > > ``` > # dig @::1 slack.com > > ; <<>> dig 9.10.8-P1 <<>> @::1 slack.com > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54174 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ; EDE: 7 (Signature Expired): 76 61 6c 69 64 61 74 69 6f 6e 20 66 61 > 69 6c 75 72 65 20 3c 73 6c 61 63 6b 2e 63 6f 6d 2e 20 41 20 49 4e 3e > 3a 20 73 69 67 6e 61 74 75 72 65 20 65 78 70 69 72 65 64 20 66 72 6f > 6d 20 32 36 32 30 3a 66 65 3a 3a 66 65 ("validation failure > <slack.com. A IN>: signature expired from 2620:fe::fe") > ;; QUESTION SECTION: > ;slack.com. IN A > > ;; Query time: 26 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Mon Mar 18 18:02:25 PDT 2024 > ;; MSG SIZE rcvd: 116 > ``` > > But when I try to query Quad9 directly, it works: > > ``` > # dig @2620:fe::fe slack.com > > ; <<>> dig 9.10.8-P1 <<>> slack.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2705 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1232 > ;; QUESTION SECTION: > ;slack.com. IN A > > ;; ANSWER SECTION: > slack.com. 10 IN A 35.81.85.251 > slack.com. 10 IN A 44.234.235.93 > slack.com. 10 IN A 54.70.179.16 > slack.com. 10 IN A 44.237.180.172 > slack.com. 10 IN A 52.89.90.67 > slack.com. 10 IN A 54.245.50.245 > slack.com. 10 IN A 54.188.33.22 > slack.com. 10 IN A 54.71.95.193 > slack.com. 10 IN A 35.82.91.193 > > ;; Query time: 2 msec > ;; SERVER: 2620:fe::fe#53(2620:fe::fe) > ;; WHEN: Mon Mar 18 18:05:05 PDT 2024 > ;; MSG SIZE rcvd: 182 > ``` > > I've tried > > - `unbound-control reload` > - `unbound-control flush slack.com` > - `unbound-anchor` > > ... and there's no change. All other domains I've tried work. > > I am using one of StevenBlack's block lists and I changed that recently > (from one list to another one), if that's relevant. > > I tried removing the block list entirely and saw no change. > > Here's my unbound.conf: > > ``` > server: > interface: ::1 > interface: xxxx:xxxx:xxxx:xxxx::xxxx > do-ip6: yes > ede: yes > do-nat64: yes > access-control: ::0/0 refuse > access-control: ::1 allow > access-control: xxxx:xxxx:xxxx:xxxx::xxxx allow > access-control: 192.168.1.0/32 allow > access-control: xxxx:xxxx:xxxx:5700::/64 allow > access-control: xxxx:xxxx:xxxx:5702::/64 allow > do-not-query-localhost: no > hide-identity: yes > hide-version: yes > auto-trust-anchor-file: "/var/unbound/db/root.key" > val-log-level: 2 > aggressive-nsec: yes > private-address: ::1/128 > private-address: ::ffff:0:0/96 > private-address: fd00::/8 > private-address: fe80::/10 > module-config: "dns64 validator iterator" > include: /etc/unwind.conf.deny > > remote-control: > control-enable: yes > control-interface: /var/run/unbound.sock > > forward-zone: > name: "." > forward-addr: 2620:fe::fe > ``` > > This feels like a caching issue to me, but I don't know what to do to > resolve it. > > Unbound logs show the same error from the failing dig command. > > Would appreciate any help. > -- In my defence, I have been left unsupervised.