[dns-operations] DNSViz 0.6.7 (FreeBSD 11.1-RELEASE-p10) reports all but first NSEC3 RRSIG as "BOGUS"

Casey Deccio casey at deccio.net
Mon Aug 6 15:16:49 UTC 2018

Hi Viktor,

> On Aug 5, 2018, at 12:34 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> I am trying to use the DNSViz CLI on my own machine, rather than
> farm out all processing to the website.  But I am running into
> unexpected wrinkles.  TLSA lookups that elicit multiple NSEC3
> records as proof of non-existence seem to consistently report
> "BOGUS" RRSIGs for all but the first NSEC3 record.

The problem is actually caused by a bug in graphviz.  I first noticed it in 2016:


Then there was an issue filed in 2017:


Apparently it had been fixed in the development version, but had not been backported to 2.39/2.40.  I haven't done enough poking around to find out which graphviz patch(es) need to be backported and log an official issue, but it could be done here:



More information about the dns-operations mailing list