You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When testing personeelsrecht.nu an error is reported in DNSSEC10, but the error does not match the behavior of the zone. The implementation should not returned DS10_MISSING_NSEC_NSEC3 in this case.
There is another issue on DNSSEC10, but on the specification (zonemaster/zonemaster#1153). They are related in so far as the both hit zones with wildcard below apex.
This issue should wait for the specification to be adjusted.
$ zonemaster-cli --show-testcase --test dnssec/dnssec10 personeelsrecht.nu
Seconds Level Testcase Message
======= ======== ============== =======
4.67 ERROR DNSSEC10 NSEC or NSEC3 is expected but is missing. Fetched from the nameservers with IP addresses "13.248.156.209;188.212.124.37;192.99.182.47;2607:5300:201:3100::1670;2a05:d018:c40:8e01:7cab:9b94:f853:3736;2a0c:b9c0:f:44c3::1".
$ zonemaster-cli --show-testcase --test dnssec/dnssec10 personeelsrecht.nu --raw
4.50 ERROR DNSSEC10 DS10_MISSING_NSEC_NSEC3 ns_ip_list=188.212.124.37;192.99.182.47;2607:5300:201:3100::1670;2a05:d018:c40:8e01:7cab:9b94:f853:3736;2a0c:b9c0:f:44c3::1
personeelsrecht.nu has a wildcard below apex:
; <<>> DiG 9.10.6 <<>> *.personeelsrecht.nu +dnssec +mult
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9223
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 3072
;; QUESTION SECTION:
;*.personeelsrecht.nu. IN A
;; ANSWER SECTION:
*.personeelsrecht.nu. 784 IN A 185.103.16.152
*.personeelsrecht.nu. 784 IN RRSIG A 13 2 901 (
20230720000000 20230629000000 540 personeelsrecht.nu.
f60CsPSOOPUhoaHx50iqHiubYqClt23e8tZx0xVSvdHV
ymuAaAD6h5o3uikmGH+/Dz4QImruIafeJpZNdGfFDQ== )
;; AUTHORITY SECTION:
j2vf88arbbu8dhktpodbdm2bmrhcvbc8.personeelsrecht.nu. 784 IN NSEC3 1 0 10 C0FFEE (
3IP1IA6ACI7506U9P09EMPAG3PI70O0C
A NS SOA MX TXT RRSIG DNSKEY NSEC3PARAM )
j2vf88arbbu8dhktpodbdm2bmrhcvbc8.personeelsrecht.nu. 784 IN RRSIG NSEC3 13 3 901 (
20230720000000 20230629000000 540 personeelsrecht.nu.
NPMzWYrTQQNjkAdr6CAyiHLcue/XT/Gs0+iXuukt67Is
3nLAI3U1FTtMJTgkQn1GI+nkCL75n6NGWtUj4vDH7w== )
;; Query time: 56 msec
;; SERVER: 10.30.7.2#53(10.30.7.2)
;; WHEN: Mon Jul 10 14:49:47 CEST 2023
;; MSG SIZE rcvd: 376
When testing a non-existing domain, the following is returned, which is the query that zonemaster sends. Note that an NSEC3 record is included in the authority section.
When testing personeelsrecht.nu an error is reported in DNSSEC10, but the error does not match the behavior of the zone. The implementation should not returned DS10_MISSING_NSEC_NSEC3 in this case.
There is another issue on DNSSEC10, but on the specification (zonemaster/zonemaster#1153). They are related in so far as the both hit zones with wildcard below apex.
This issue should wait for the specification to be adjusted.
personeelsrecht.nu has a wildcard below apex:
When testing a non-existing domain, the following is returned, which is the query that zonemaster sends. Note that an NSEC3 record is included in the authority section.
DNSviz sees no issue with the zone:
The text was updated successfully, but these errors were encountered: