[dns-operations] broken 'apex' NSEC3 for ma. denies big number of delegated names

Peter van Dijk peter.van.dijk at powerdns.com
Fri Apr 1 13:55:30 UTC 2022


"dig +dnssec txt @b.tld.ma ma." (as do other queries) returns a non-
opt-out NSEC3 covering
This NSEC3 covers a large number of existing delegations in the zone,
denying their existence.

Resolvers using NSEC/NSEC3 aggressively (as described in RFC9077) then
end up replying NXDOMAIN for names covered by that range.

One example of such a name is afmagroup.ma, which hashes to
EUKB329VQPC6CRF4VLLEB9BALQU169UO, falling inside the EPN..LB0 range.

I suspect your signer is broken. The offending NSEC3 is returned by all
.ma name servers I can find.

Can you please investigate? Thank you!

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list