Suddenly dig +nocmd pop3.pauperis.org aaaa +noall +answer returns nothing

Question

the command dig +nocmd pop3.pauperis.org aaaa +noall +answer returns the followingin my laptop:

pop3.pauperis.org.  3111    IN  CNAME   pauperis.org.
pauperis.org.       3111    IN  AAAA    2001:41d0:1:8ade::1

but the same command on my server, suddenly, after no apparent config change returns nothing:

# dig +nocmd pop3.pauperis.org aaaa +noall +answer
#

This is the response on my server but with +trace option:

dig +nocmd pop3.pauperis.org aaaa +noall +answer +trace
.           44679   IN  NS  e.root-servers.net.
.           44679   IN  NS  m.root-servers.net.
.           44679   IN  NS  l.root-servers.net.
.           44679   IN  NS  b.root-servers.net.
.           44679   IN  NS  g.root-servers.net.
.           44679   IN  NS  i.root-servers.net.
.           44679   IN  NS  a.root-servers.net.
.           44679   IN  NS  d.root-servers.net.
.           44679   IN  NS  h.root-servers.net.
.           44679   IN  NS  f.root-servers.net.
.           44679   IN  NS  j.root-servers.net.
.           44679   IN  NS  k.root-servers.net.
.           44679   IN  NS  c.root-servers.net.
.           44679   IN  RRSIG   NS 8 0 518400 20220316050000 20220303040000 9799 . WHZ//zKcRc0aFze+haFiC5a0GwaCwCsopDkMLzMZrOTTvejeb96R01h+ 2mlnsd4qivrbop0a7fBz+Vs/m+YVOPku+vCO/fnZ+NW/KgrtXpHoPopE WayXrfwtEC+Iu/G7gD1bePIhXqeEMSYlfLD84g7ezASeXc4q3Yrfw3+s SnKkG/vwlZ3IFcSw90bqyYoV597fRLZYdEoUzDjp9onU/NcwqmWJ6muV Ms2IO7kHTaUfMO7z6mgf5PGC2ylTywz+4WZLFd6t8QvZypEMGFwPSxJ2 W86Sdh2QJSDznW3V5CFW3tW+59ZzKsJHuGlHTwqem+egipZMXoMW9y+F 08ZVlg==
;; Received 1137 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

org.            172800  IN  NS  b2.org.afilias-nst.org.
org.            172800  IN  NS  a2.org.afilias-nst.info.
org.            172800  IN  NS  d0.org.afilias-nst.org.
org.            172800  IN  NS  a0.org.afilias-nst.info.
org.            172800  IN  NS  b0.org.afilias-nst.org.
org.            172800  IN  NS  c0.org.afilias-nst.info.
org.            86400   IN  DS  26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32
org.            86400   IN  RRSIG   DS 8 1 86400 20220321170000 20220308160000 9799 . m3lulShGydigMRJiRixpAFeO9YBBkntgr2Gk42/sts9JLeGVavWmrAyd 5uFDMPf+DqWjgz65BCR1kipEpJAbETmqiwf17rrk9yDIXYGDfrdv04tg w5+4LjANeRzCqr9CH2FFokRt5cl2AdCSn2kNonndSM72Zfhots5ggn8G nTXyt3Aj3Hg4xagS1ZqPhodM15r95NVWw4ozPywSt76vI/oOgEBF6ckw Hz9AEg5i4MdSoLTwiT9fLE51KfiJQO6Xfp8ZANUFtwrydLb0pqJtXMbC BoJnhXjyjWzlOA5/ze5PR3nCh7tbtbTdxdowiB2Jrc3j5Cirfw7dAske TAjiiQ==
;; Received 817 bytes from 192.36.148.17#53(i.root-servers.net) in 3 ms

pauperis.org.       86400   IN  NS  ns111.ovh.net.
pauperis.org.       86400   IN  NS  dns111.ovh.net.
pauperis.org.       86400   IN  DS  18975 7 2 9CE6DA2D7883298D589BDBD5DFD29BB76FB24329C12B453A055F06F6 4EEC0C0C
pauperis.org.       86400   IN  RRSIG   DS 8 2 86400 20220322152315 20220301142315 30573 org. mE8EiULvqr8ZBCDb6rQnXHlxVoZtaTzbLjMtRi9w2jyGYYcKbX0m8N7R +b4NmqrsiQa7nz3DBbDDwt8IbXZfEIqVmGLJrx7Gp+uMDECa54mz06kG Xz1LWb6j/B6CA+1+fa+MyDBJt7A6inBLZQix8Fr9xkWRYznsQqyeeHnW YYo=
;; Received 305 bytes from 199.19.57.1#53(d0.org.afilias-nst.org) in 83 ms

pop3.pauperis.org.  3600    IN  CNAME   pauperis.org.
pop3.pauperis.org.  3600    IN  RRSIG   CNAME 8 3 3600 20220403112323 20220304112323 37698 pauperis.org. OhXaHFQ1xfLU2T3zjUIBpKsW6k62NZVlnCf4aQKUhbtDcVTGbWDNbwo7 MkpsDh2zpwG3vIqzqdw9t0Uuq7A1U+TDH0SetnBDVvlR1dNNZRbEiWBd C1dJiNuItE37iDNexAebRBvSnM/9hfjDUwDaX7Q78iQS836gxkTSV/g7 Bys=
pauperis.org.       3600    IN  AAAA    2001:41d0:1:8ade::1
pauperis.org.       3600    IN  RRSIG   AAAA 8 2 3600 20220403112323 20220304112323 37698 pauperis.org. dZP/Vxls3u1x8lMQ4A4NULX/UMrf7M+YkBNim4pJ/O9qkHCHn3N19Fku JciU5LCsWd4dw856ejt6CLBDy1c5RSADfrP+q3O3x9kstsgrH+Wf0pP8 cU2y/mTJRSQWPp+6jBUITshXJvcuV+XFpHeA931570XelUGN7ZuEStzD COc=
;; Received 432 bytes from 2001:41d0:1:4a9b::1#53(dns111.ovh.net) in 3 ms

Could someone tell what could be going wrong?

Thank you so much in advanced :)

Answer 1

See https://dnsviz.net/d/pop3.pauperis.org/YifJYQ/dnssec/ this name has huge DNSSEC misconfiguration (typical case of mismatch of DS record at parent aka registry, and the DNSKEY records found in child). This needs to be solved before the whole domain works correctly.

Easy to spot also by comparing a normal answer through a validating resolver (hence with DNSSEC validation) and then explicitly forbidding DNSSEC validation:

$ dig pop3.pauperis.org @9.9.9.9

; <<>> DiG 9.18.0 <<>> pop3.pauperis.org @9.9.9.9
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39260
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c145784edda54901
;; QUESTION SECTION:
;pop3.pauperis.org. IN A

;; QUERY SIZE: 58

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39260
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 9 (DNSKEY Missing)

SERVFAIL can be a lot of things but DNSSEC fatal errors are always SERVFAIL error code, and then note in passing the Extended DNS Error: DNSKEY Missing .

And then the same bypassing DNSSEC (thanks to dig +cd flag):

$ dig pop3.pauperis.org @9.9.9.9 +cd

; <<>> DiG 9.18.0 <<>> pop3.pauperis.org @9.9.9.9 +cd
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1480
;; flags: rd ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c028e114f2c210f8
;; QUESTION SECTION:
;pop3.pauperis.org. IN A

;; QUERY SIZE: 58

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1480
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;pop3.pauperis.org. IN A

;; ANSWER SECTION:
pop3.pauperis.org.  1h IN CNAME pauperis.org.
pauperis.org.       1h IN A 91.121.85.222

Now you get NOERROR. The simple fact of removing the DNSSEC validation makes things work is a good proof that the error is DNSSEC related.