[dns-operations] .org dnssec issue?

[Daniel Stirnimann]

Dear all,

I cannot resolve geant.org on a validating resolver.

dig @b2.org.afilias-nst.org geant.org DS +dnssec

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @b2.org.afilias-nst.org
geant.org DS +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46443
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;geant.org.			IN	DS

;; AUTHORITY SECTION:
org.			900	IN	SOA	a0.org.afilias-nst.info. noc.afilias-nst.info.
2012355993 1800 900 604800 86400
org.			900	IN	RRSIG	SOA 7 1 900 20170227124822 20170206114822 3947 org.
QSBmqyDB8R/IAZOofQMZOaDuyGb7oOME/ppdBvEitkKOstkfaUgiEJKV
Lsofh57kfMWmbduEQ7knwHYl8JWK06X8K9gBD0eB4qHgStG3slZ/eAI/
MYMsuN9gx/X2oXYRPUrla3A+TQ8jH1VLO8ReaixerGOvns3GwK1KozXx DsA=
2v44578rbb03qcv1725nc569s8hoigtq.org. 86400 IN NSEC3 1 1 1 D399EAAB
2V4JIMFKQNNFI3F9ULAG5T1QVEU0K9TK NS DS RRSIG
2v44578rbb03qcv1725nc569s8hoigtq.org. 86400 IN RRSIG NSEC3 7 2 86400
20170222152815 20170201142815 3947 org.
n68Q8rrz1s5cP+4+W0f0a3ZXwzJDYtuJhbYKKsjuqB5PgA3HDL9oPdU6
NGHZ07bFIK2WyWFoAbYeB7hbDUgIlMQBdYpbTSwZaUff5nSx7nd+xVKJ
mp3KfqnsI2VL72ClNFalvNx0vnR6rVELJ10TVTal7IJWhKPm54CvUjEy CtE=

I think the NSEC3 proof is bogus.  2v44578rbb03qcv1725nc569s8hoigtq.org.
is geant.org:

ldns-nsec3-hash -t 1 -s D399EAAB geant.org
2v44578rbb03qcv1725nc569s8hoigtq.

DNSviz said (http://dnsviz.net/d/geant.org/WJhvCw/dnssec/):
 * NSEC3 proving non-existence of geant.org/DS: The DS bit was set in
the bitmap of the NSEC3 RR corresponding to the delegated name (geant.org).
 * NSEC3 proving non-existence of geant.org/DS: The DS bit was set in
the bitmap of the NSEC3 RR corresponding to the delegated name (geant.org).

So, is this a .org issue?

Daniel