Just Keep Digging

2026-01-28

Yesterday at work I received an alert for an SMTP status code 450, specifically 450 4.7.1 <mail.foo.com>: Helo command rejected: Host not found. Strange; let’s check to make sure things are resolving properly:

$ dig @1.1.1.1 mail.foo.com
...
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 13 (Cached Error)
; EDE: 23 (Network Error): (YYY.YYY.YYY.YYY:53 returned SERVFAIL for foo.com DNSKEY)
;; QUESTION SECTION:
;mail.foo.com.		IN	A

;; ANSWER SECTION:
mail.foo.com.	6776	IN	A	XXX.XXX.XXX.XXX
...

The MX subdomain resolves, but there are EDE codes for foo.com under the Extended Mechanisms for DNS (EDNS) section.

Extended DNS Error (EDE) codes (see RFC 8914) were created to extend SERVFAIL to provide additional information about the cause of DNS and DNSSEC failures. Cloudflare added support for EDE codes to 1.1.1.1 back in 2020.

We can query Cloudflare for the domain returning a SERVFAIL to get a little more information:

$ dig @1.1.1.1 foo.com
...
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45322
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 13 (Cached Error)
; EDE: 22 (No Reachable Authority): (at delegation foo.com.)
; EDE: 23 (Network Error): (YYY.YYY.YYY.YYY:53 returned SERVFAIL for foo.com A)
;; QUESTION SECTION:
;foo.com.			IN	A

...

The EDE: 22 (No Reachable Authority): ... indicates the authoritative nameserver can’t be reached, or the nameserver potentially refused to reply. Let’s trace the query to check response times:

$ dig @1.1.1.1 foo.com +trace
...
;; Received 41 bytes from YYY.YYY.YYY.YYY#53(ns.bar.com) in 1516 ms

1.5 seconds for an authoritative nameserver reply seems a bit high. We should query the authoritative nameserver directly:

$ dig @YYY.YYY.YYY.YYY foo.com +norecurse
...
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27845
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 13 (Cached Error)
;; QUESTION SECTION:
;foo.com.			IN	A

...

Sure enough, we get a SERVFAIL; time to notify our domain provider.