> On Nov 8, 2018, at 9:52 AM, James B. Byrne <byrn...@harte-lyne.ca> wrote: > > We have been experiencing an prolonged outage at our off-site dns > location. The two NS in question are located there. The > establishment of NS at multiple location was intended to handle this > sort of situation. We are dealing with the matter but it involves two > separate upstream providers and is somewhat complicated thereby.
My analysis is that some of upstream providers have broken DNSSEC implementations that don't handle NSEC3 properly or at all, and therefore "authenticated denial of existence" is not working for your domain. If the problem is still unresolved your choices are: * Try switching to NSEC. Delete "NSEC3PARAM" and re-sign the zone. * Find a more competent DNS provider * Temporarily disable DNSSEC (remove the DS records at .CA) until the problems with denial of existence are resolved. If DNSSEC is desired, but not critical, I'd do the last first, then try either or both of the first two, until the nameservers respond correctly with appropriately signed NSEC or NSEC3 records for queries that return NoData and NXDdomain. -- Viktor.