DNSVIZ errors

akritrim® Intelligence™ inlists at akritrim.net
Mon Apr 21 03:05:43 UTC 2025 

Thank you for your help. it does give insights into the problem.

if you check dnsviz history, this does not happen everytime.

the bind version is BIND 
9.20.8-1+0~20250416.117+debian12~1.gbp1ea9dd-Debian

obtained from: https://www.isc.org/download/  —->  
https://bind.debian.net/bind

there are no firewalls or load balancers. these are directly connected 
to internet. i was running BIND 9.18 official debian package and got no 
errors like this.


On 21/04/2025 4:46 am, Crist Clark wrote:
> The version of BIND and where you got it would be a good start. Any 
> load
> balancers, firewalls, etc. between the server and internet that might 
> touch
> the DNS records?
> 
> True DNSSEC gurus please check my math.
> 
> DNSvis is correct. You're not sending the proper NSEC3 records. Like 
> the
> RFC says, "It takes three to tango," or NSEC3 denial of existence. You 
> sent
> two. For a name where two levels of label don't exists,
> 
> l5tz4.1i89a.akritrim.net
> 
> You should send back three NSEC3 records,
> 
> 1) NSEC3 record that proves 1i89a.akritrim.net (
> 18QMAAOCT0HPNGCPD9MLONVAK13DS8HT) does not exist.
> 2) NSEC3 record for akritrim.net (N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P).
> 3) NSEC3 record proving the wildcard, *.akritrim.net (
> 6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1), does not exist.
> 
> But you're not, you're only sending two,
> 
> N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net. 600 IN NSEC3 1 0 0 -
> QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT AAAA RRSIG DNSKEY
> NSEC3PARAM CDS CDNSKEY CAA
> 
> 67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net. 600 IN NSEC3 1 0 0 -
> 6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG
> 
> Those are two I'd expect to see for (2) and (3), but where is (1)?
> 
> But it's weirder. For this name,
> 
> ebzoq.ik7ub.akritrim.net
> 
> You are sending three NSEC3, but one doesn't look like the right one. 
> You
> should send,
> 
> 1) NSEC3 record that proves 1i89a.akritrim.net (
> S2NOKIAA732BLNNSEMCJ8KV74H6ICUEP) does not exist.
> 2) NSEC3 record for akritrim.net (N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P).
> 3) NSEC3 record proving the wildcard, *.akritrim.net (
> 6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1), does not exist.
> 
> But these get sent,
> 
> N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net. 600 IN NSEC3 1 0 0 -
> QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT AAAA RRSIG DNSKEY
> NSEC3PARAM CDS CDNSKEY CAA
> 
> I559SEFHCJO35HED2LU4N68B44CA281V.akritrim.net. 600 IN NSEC3 1 0 0 -
> KOGD0HOUD9R7BAB4LKQR2E9ALI57C7N0 A AAAA RRSIG CAA
> 
> 67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net. 600 IN NSEC3 1 0 0 -
> 6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG
> 
> The first and last are the same two we got previously and line up with 
> (2)
> and (3). But we get this other one that doesn't line up with (1). But 
> what
> I /think/ that might be is the record that would prove
> ebzoq.ik7ub.akritrim.net (IAT39F3MSSGS2D4O255VNHB67V2GCNVI) does not 
> exist
> in its place.
> 
> On Sun, Apr 20, 2025 at 10:29 AM akritrim® Intelligence™ via bind-users 
> <
> bind-users at lists.isc.org> wrote:
> 
>> i didn't specifically ask for your help. i don't know why you replied. 
>> yes
>> i do need help but this doesn't mean i can read your mind.
>> 
>> so let me know what 'bits' of information should i share that will
>> meaningfully help me. ( this is equivalent to saying '
>> if you need anything specific let me know.')
>> 
>> today language models are more context aware.
>> 
>> and if you don't want to share what do you 'need' then leave it be, i
>> don't want your help.
>> 
>> 
>> On April 20, 2025 5:17:46 PM UTC, "Ondřej Surý" <ondrej at isc.org> 
>> wrote:
>> >
>> >> On 20. 4. 2025, at 17:57, akritrim® Intelligence™ via bind-users <
>> bind-users at lists.isc.org> wrote:
>> >>
>> >> anyways, if you need anything specific let me know.
>> >
>> >Well, I don't really need anything, you've asked for help here, not I.
>> I've already told you what is needed,
>> >you didn't follow my advice :shrug:. The bits of information you have
>> provided are not sufficient to meaningfully
>> >help you.
>> >
>> >Ondrej
>> >--
>> >Ondřej Surý (He/Him)
>> >ondrej at isc.org
>> >
>> >My working hours and your working hours may be different. Please do not
>> feel obligated to reply outside your normal working hours.
>> >
>> >
>> 
>> akritrim® Intelligence™
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>> 
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
>> 

-- 
akritrim® Intelligence™

More information about the bind-users mailing list