[dns-operations] broken 'apex' NSEC3 for ma. denies big number of delegated names
Peter van Dijk
peter.van.dijk at powerdns.com
Fri Apr 1 13:55:30 UTC 2022
Hello,
"dig +dnssec txt @b.tld.ma ma." (as do other queries) returns a non-
opt-out NSEC3 covering
EPNGG6KIP1BA66LLJKNBLULI9PUL8OJ9...LB0AJ7AEMMSB3B556MI0DC1GFDUGO17E.
This NSEC3 covers a large number of existing delegations in the zone,
denying their existence.
Resolvers using NSEC/NSEC3 aggressively (as described in RFC9077) then
end up replying NXDOMAIN for names covered by that range.
One example of such a name is afmagroup.ma, which hashes to
EUKB329VQPC6CRF4VLLEB9BALQU169UO, falling inside the EPN..LB0 range.
I suspect your signer is broken. The offending NSEC3 is returned by all
.ma name servers I can find.
Can you please investigate? Thank you!
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations
mailing list