[dns-operations] Assistance Request: OpenDNS Not Resolving Certain .realtor™ Domains
Ondřej Surý
ondrej at sury.org
Wed Dec 3 10:01:38 UTC 2025
Ok, look at the NSEC3 proof that the servers give:
vesdsjhfre0tap5h15gth2f925g1nj4c.realtor. 3600 IN NSEC3 1 1 0 - (
VESDSJHFRE0TAP5H15GTH2F925G1NJ4C
NS )
The NSEC3 record points back to itself instead of to the next name and it is being properly rejected as invalid.
Ondrej
--
Ondřej Surý (He/Him)
ondrej at sury.org
> On 3. 12. 2025, at 10:43, Ondřej Surý <ondrej at sury.org> wrote:
>
> I ran a quick test and all BIND 9 versions that I tested (which also included stuff like 9.20.0 that was superseded
> and 9.11 which is end-of-life and hasn't been touched for a while) also SERVFAIL hlaor.realtor queries.
>
> And named reports:
>
> 2025-12-03T10:38:59.527+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 2401:fd80:403::122#53
> 2025-12-03T10:38:59.549+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 2001:502:ad09::3#53
> 2025-12-03T10:38:59.573+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 2a01:618:403::122#53
> 2025-12-03T10:38:59.595+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 2610:a1:1009::3#53
> 2025-12-03T10:38:59.618+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 2001:502:2eda::3#53
> 2025-12-03T10:38:59.650+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 2610:a1:1010::3#53
> 2025-12-03T10:38:59.692+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 2a01:618:407::122#53
> 2025-12-03T10:38:59.733+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 2401:fd80:407::122#53
> 2025-12-03T10:38:59.756+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 103.49.83.122#53
> 2025-12-03T10:38:59.780+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 156.154.100.3#53
> 2025-12-03T10:38:59.802+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 213.248.219.122#53
> 2025-12-03T10:38:59.824+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 156.154.102.3#53
> 2025-12-03T10:38:59.847+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 156.154.101.3#53
> 2025-12-03T10:38:59.878+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 156.154.103.3#53
> 2025-12-03T10:38:59.920+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 213.248.223.122#53
> 2025-12-03T10:38:59.962+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 43.230.51.122#53
> 2025-12-03T10:38:59.963+01:00 broken trust chain resolving 'hlaor.realtor/SOA/IN': 2600:9000:5305:ee00::1#53
> 2025-12-03T10:38:59.963+01:00 query client=0x7fffe744e000 thread=0x7fffee1fe680(hlaor.realtor/SOA): query_gotanswer: unexpected error: broken trust chain
>
> This feels like there something wrong with the NSEC3 chain, but I haven't been able to put a finger on it yet.
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at sury.org
>
>> On 3. 12. 2025, at 2:47, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>>
>> So most likely for some reason the OpenDNS servers don't like the DS
>> non-existence proof from the .realtor authoritative servers. Which is
>> odd, because the DNSKEY and DS records of .realtor haven't changed since
>> late July 2021.
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list