<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jul 27, 2018, at 12:27 AM, Petr Špaček <<a href="mailto:petr.spacek@nic.cz" class="">petr.spacek@nic.cz</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">On 26.7.2018 18:34,<span class="Apple-converted-space"> </span></span><a href="mailto:frnkblk@iname.com" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">frnkblk@iname.com</a><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class=""><span class="Apple-converted-space"> </span>wrote:</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">I used to use<span class="Apple-converted-space"> </span><a href="http://rhybar.cz/" class="">rhybar.cz</a>, but the zone hasn’t been working since May 26<br class="">around 1:30 am (U.S. Central).<br class=""></blockquote><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Are you sure? DNSViz indicates that it is broken properly! ;-)</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""></div></blockquote><div><br class=""></div>For what it's worth, it is indeed properly broken now :)</div><div><br class=""></div><div><a href="http://dnsviz.net/d/rhybar.cz/W1sbSw/dnssec/" class="">http://dnsviz.net/d/rhybar.cz/W1sbSw/dnssec/</a></div><div><br class=""></div><div><br class=""></div><div>Yesterday, it was indeed also broken, but not really for DNSSEC reasons:</div><div><br class=""></div><div><a href="http://dnsviz.net/d/rhybar.cz/W1n28Q/dnssec/" class="">http://dnsviz.net/d/rhybar.cz/W1n28Q/dnssec/</a></div><div><br class=""></div><div>Yesterday, the authoritative servers were responding with referrals rather than providing authoritative responses for <a href="http://rhybar.cz/DNSKEY" class="">rhybar.cz/DNSKEY</a>, <a href="http://rhybar.cz/A" class="">rhybar.cz/A</a>, etc.</div><div><br class=""></div><div>For example, the response from 193.29.206.1 for <a href="http://rhybar.cz/A" class="">rhybar.cz/A</a> looked like this:</div><div><br class=""></div><div>opcode QUERY<br class="">rcode NOERROR<br class="">flags QR<br class="">edns 0<br class="">eflags DO<br class="">payload 1232<br class="">;QUESTION<br class=""><a href="http://rhybar.cz" class="">rhybar.cz</a>. IN A<br class="">;ANSWER<br class="">;AUTHORITY<br class=""><a href="http://rhybar.cz" class="">rhybar.cz</a>. 3600 IN NS <a href="http://a.ns.nic.cz" class="">a.ns.nic.cz</a>.<br class=""><a href="http://rhybar.cz" class="">rhybar.cz</a>. 3600 IN NS <a href="http://d.ns.nic.cz" class="">d.ns.nic.cz</a>.<br class=""><a href="http://rhybar.cz" class="">rhybar.cz</a>. 3600 IN NS <a href="http://b.ns.nic.cz" class="">b.ns.nic.cz</a>.<br class=""><a href="http://rhybar.cz" class="">rhybar.cz</a>. 3600 IN DS 59916 5 2 1a6516c32dcf2038e5382d77adacade3ede99cdd77f019fcdf3741b49f8d563b<br class=""><a href="http://rhybar.cz" class="">rhybar.cz</a>. 3600 IN RRSIG DS 13 2 3600 20180802183134 20180721103541 62295 cz. 80AVXfeNrMy6OumE0Zt6YUIBqJZzTcuo zHD7gczAUzzu0ZgMMZNM4SQYU4NgTguj YVkYJiwOcRXWwnuP9nilVg==<br class="">;ADDITIONAL<br class=""><a href="http://a.ns.nic.cz" class="">a.ns.nic.cz</a>. 3600 IN A 194.0.12.1<br class=""><a href="http://a.ns.nic.cz" class="">a.ns.nic.cz</a>. 3600 IN AAAA 2001:678:f::1<br class=""><a href="http://b.ns.nic.cz" class="">b.ns.nic.cz</a>. 3600 IN A 194.0.13.1<br class=""><a href="http://b.ns.nic.cz" class="">b.ns.nic.cz</a>. 3600 IN AAAA 2001:678:10::1<br class=""><a href="http://d.ns.nic.cz" class="">d.ns.nic.cz</a>. 3600 IN A 193.29.206.1<br class=""><a href="http://d.ns.nic.cz" class="">d.ns.nic.cz</a>. 3600 IN AAAA 2001:678:1::1</div><div><br class=""></div><div>So... broken is broken? Well, maybe. When I first began running a validating resolver years ago, I checked every SERVFAIL that was returned by re-querying the validating resolver with +cd (or I queried another, non-validating resolver). The result (SERVFAIL or not) helped me distinguish whether it was a DNSSEC-related issue or not. So, if the point is to discover DNSSEC validation issues, then the type of broken can actually make a difference. In this particular case, the response from a resolver would likely have been SERVFAIL even with +cd (or with a non-validating resolver).</div><div><br class=""></div><div>In any case, thanks to the many organizations that supply services of any type to help with the quality of DNSSEC deployment and maintenance--including those hosting domains designed to fail DNSSEC validation :)</div><div><br class=""></div><div>Casey</div></body></html>