Hi Benoit So, there is an A record for www.numberportability.ch, and it's signed and resolves and validates without issue for me.
However, when I attempt to look up the AAAA record (or any other RRtype except A), I get the following response from Swizzonic's nameserver: > ; <<>> DiG 9.18.9 <<>> www.numberportability.ch aaaa > @2a01:8100:2901::1:183:201 +dnssec ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44515 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1680 > ;; QUESTION SECTION: > ;www.numberportability.ch. IN AAAA > > ;; AUTHORITY SECTION: > numberportability.ch. 900 IN SOA > dns1.swizzonic.ch. hostmaster.swizzonic.ch. 2022121601 10800 3600 > 604800 86400 > > numberportability.ch. 900 IN > RRSIG SOA 13 2 900 20230105000000 20221215000000 10556 > > numberportability.ch. > SzRBpQzLj0tEmzfg0LN6vBVd6pDYVY5RhaJd8BFKX57yaU1xCEeVFQiB > ogAb0xMsVcUMEew15KbjxDyLBGhvsw== > > numberportability.ch. > 86400 IN NSEC numberportability.ch. A NS SOA MX > TXT RRSIG NSEC DNSKEY > > numberportability.ch. 86400 > IN RRSIG NSEC 13 2 86400 20230105000000 20221215000000 > 10556 numberportability.ch. > nwLoV6Gr+DLINpw+1wARJkj6VCUEIPT3ciZGrmltkBXu7tlW3L9GF0Ht > 5kCZbDooM8yMGOow0gI/EdIzYwKA+A== > > ;; Query time: 26 msec > ;; SERVER: 2a01:8100:2901::1:183:201#53(2a01:8100:2901::1:183:201) > (UDP) ;; WHEN: Wed Dec 28 16:13:41 CET 2022 > ;; MSG SIZE rcvd: 390 Note the response status: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44515 It is a NOERROR rather than NXDOMAIN. This means the name server indicates that the absence of an AAAA record in the response is a NoData [rfc2308] error rather than a NXDOMAIN error, or, in other words, it claims that the domain www.numberportability.ch. exists, but doesn't have an AAAA record. Now let's turn our eyes to the NSEC record in the response: > numberportability.ch. NSEC numberportability.ch. [... some rrtypes] Here, Swizzonic's nameserver claims that there is no domain between numberportability.ch. and numberportability.ch., i.e. that it does not have any subdomains at all. This is in contrast to the NoData response above, and thus the DNSSEC validator considers the response bogus. So it appears there is to be some kind of misconfiguration on Swizzonic's side. Hope this helps in narrowing down the issue. Regards Sebastian [rfc2308]: https://www.rfc-editor.org/rfc/rfc2308#section-2.2 _______________________________________________ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch