Re: [dns-operations] Assistance Request: OpenDNS Not Resolving Certain .realtor™ Domains

Wed, 03 Dec 2025 02:07:59 -0800 

Ok, look at the NSEC3 proof that the servers give:

vesdsjhfre0tap5h15gth2f925g1nj4c.realtor. 3600 IN NSEC3 1 1 0 - (
                                VESDSJHFRE0TAP5H15GTH2F925G1NJ4C
                                NS )

The NSEC3 record points back to itself instead of to the next name and it is 
being properly rejected as invalid.

Ondrej
--
Ondřej Surý (He/Him)
[email protected]

> On 3. 12. 2025, at 10:43, Ondřej Surý <[email protected]> wrote:
> 
> I ran a quick test and all BIND 9 versions that I tested (which also included 
> stuff like 9.20.0 that was superseded
> and 9.11 which is end-of-life and hasn't been touched for a while) also 
> SERVFAIL hlaor.realtor queries.
> 
> And named reports:
> 
> 2025-12-03T10:38:59.527+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 2401:fd80:403::122#53
> 2025-12-03T10:38:59.549+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 2001:502:ad09::3#53
> 2025-12-03T10:38:59.573+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 2a01:618:403::122#53
> 2025-12-03T10:38:59.595+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 2610:a1:1009::3#53
> 2025-12-03T10:38:59.618+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 2001:502:2eda::3#53
> 2025-12-03T10:38:59.650+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 2610:a1:1010::3#53
> 2025-12-03T10:38:59.692+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 2a01:618:407::122#53
> 2025-12-03T10:38:59.733+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 2401:fd80:407::122#53
> 2025-12-03T10:38:59.756+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 103.49.83.122#53
> 2025-12-03T10:38:59.780+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 156.154.100.3#53
> 2025-12-03T10:38:59.802+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 213.248.219.122#53
> 2025-12-03T10:38:59.824+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 156.154.102.3#53
> 2025-12-03T10:38:59.847+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 156.154.101.3#53
> 2025-12-03T10:38:59.878+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 156.154.103.3#53
> 2025-12-03T10:38:59.920+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 213.248.223.122#53
> 2025-12-03T10:38:59.962+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
> 43.230.51.122#53
> 2025-12-03T10:38:59.963+01:00 broken trust chain resolving 
> 'hlaor.realtor/SOA/IN': 2600:9000:5305:ee00::1#53
> 2025-12-03T10:38:59.963+01:00 query client=0x7fffe744e000 
> thread=0x7fffee1fe680(hlaor.realtor/SOA): query_gotanswer: unexpected error: 
> broken trust chain
> 
> This feels like there something wrong with the NSEC3 chain, but I haven't 
> been able to put a finger on it yet.
> 
> Ondrej
> --
> Ondřej Surý (He/Him)
> [email protected]
> 
>> On 3. 12. 2025, at 2:47, Viktor Dukhovni <[email protected]> wrote:
>> 
>> So most likely for some reason the OpenDNS servers don't like the DS
>> non-existence proof from the .realtor authoritative servers.  Which is
>> odd, because the DNSKEY and DS records of .realtor haven't changed since
>> late July 2021.
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> [email protected]
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations


_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to