[dns-operations] (co.)bw DNSSEC failure

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 20 17:17:26 UTC 2016

> On Sep 20, 2016, at 12:58 PM, Warren Kumari <warren at kumari.net> wrote:
> On Tue, Sep 20, 2016 at 10:27 AM, Peter van Dijk
> <peter.van.dijk at powerdns.com> wrote:
>> Hello,
>> yes, I can see it is not signed - but validators cannot see that, because
>> one of the .bw servers (‘master’) fails to provide the insecure (lack of DS)
>> proof.
>> Kind regards,
> Ok, so I have what is (probably) a stupid question -- we often see
> these sorts of weird DNS issues, and I keep asking myself "Ok, how did
> this happen? If I wanted to recreate this problem, how would I
> accomplish it?" and not coming up with an answer....

I've seen this type of failure before, when one of the nameservers only
supports NSEC and not NSEC3 (software too old).  It can return signatures
for existing records, but finds no NSEC records for non-existence proofs.

Zones that use NSEC3 need to make sure that all their nameservers support
NSEC3 (naturally).


More information about the dns-operations mailing list