> On Nov 8, 2018, at 9:52 AM, James B. Byrne <byrn...@harte-lyne.ca> wrote:
>
> We have been experiencing an prolonged outage at our off-site dns
> location. The two NS in question are located there. The
> establishment of NS at multiple location was intended to handle this
> sort of situation. We are dealing with the matter but it involves two
> separate upstream providers and is somewhat complicated thereby.
My analysis is that some of upstream providers have broken DNSSEC
implementations that don't handle NSEC3 properly or at all, and
therefore "authenticated denial of existence" is not working for
your domain.
If the problem is still unresolved your choices are:
* Try switching to NSEC. Delete "NSEC3PARAM" and re-sign
the zone.
* Find a more competent DNS provider
* Temporarily disable DNSSEC (remove the DS records at .CA)
until the problems with denial of existence are resolved.
If DNSSEC is desired, but not critical, I'd do the last first,
then try either or both of the first two, until the nameservers
respond correctly with appropriately signed NSEC or NSEC3
records for queries that return NoData and NXDdomain.
--
Viktor.
