DNSVIZ errors

akritrim® Intelligence™ inlists at akritrim.net
Sun Apr 20 15:57:20 UTC 2025 

Hello Ondrej

There are multiple domains with the error. The idea is not to obfuscate 
but give an example which covers all domains with these errors.

These errors are also intermittent.

This is not a permanent error. I have no errors in my logs. The dnssec 
configuration is below:

dnssec-policy mypolicy {
      nsec3param iterations 0 optout no salt-length 0;
      keys {
          ksk lifetime unlimited algorithm ecdsap256sha256;
          zsk lifetime 60d algorithm ecdsap256sha256;
      };
      inline-signing yes;
};

this domain akritrim.net is not broken. its your lists.bind.org mail 
server that was broken, which was fixed after i sent the email.

something in mailman/postfix was broken from your side.

the only thing broken on this domain and others is the scenario i mailed 
before.

anyways, if you need anything specific let me know.

cheers

On April 20, 2025 2:58:05 PM UTC, "Ondřej Surý" <ondrej at isc.org> wrote:
> I wonder what’s the point of obfuscating the name making people unable 
> to help you when you are putting the domain name that’s broken 
> everywhere else in your email:
> 
> https://dnsviz.net/d/akritrim.net/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=
> 
> Anyway, you need to provide all the details about the domain name 
> configuration and the related logs. You can’t expect help without 
> sharing the full information about your problem.
> 
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
> 
> My working hours and your working hours may be different. Please do not 
> feel obligated to reply outside your normal working hours.
> 
>> On 20. 4. 2025, at 16:31, akritrim® Intelligence™ via bind-users 
>> <bind-users at lists.isc.org> wrote:
>> 
>> Hi
>> 
>> I am getting the following error if i test the domain on dnsviz.net.
>> 
>> For example for domain example.org i get :
>> 
>> caikb.6tqs4.example.org/A has errors; select the "Denial of existence" 
>> DNSSEC option to see them.
>> 
>> On checking the denial of existence settings i get:
>> 
>> 
>> RRset status
>> Bogus (1)
>> caikb.6tqs4.example.org/A (NXDOMAIN)
>> 
>> 
>> Errors (2)
>> NSEC3 proving non-existence of caikb.6tqs4.example.org/A: No NSEC3 RR 
>> corresponds to the closest encloser of the SNAME 
>> (caikb.6tqs4.example.org). See RFC 5155, Sec. 8.4.
>> NSEC3 proving non-existence of caikb.6tqs4.example.org/A: No NSEC3 RR 
>> corresponds to the closest encloser of the SNAME 
>> (caikb.6tqs4.example.org). See RFC 5155, Sec. 8.4.
>> 
>> 
>> I do not get any errors on an existing subdomain like mail.example.org 
>> or even a non existent subdomain like htcghugfg.example.org
>> 
>> also not all domains managed by the server get this error, only some 
>> of them.
>> 
>> i have these parameters defined in dnssec policy:
>> 
>> nsec3param iterations 0 optout no salt-length 0;
>> 
>> 
>> any ideas will be welcome.
>> 
>> 
>> --
>> akritrim® Intelligence™
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
>> from this list
>> 
>> ISC funds the development of this software with paid support 
>> subscriptions. Contact us at https://www.isc.org/contact/ for more 
>> information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list