<div dir="ltr">The version of BIND and where you got it would be a good start. Any load balancers, firewalls, etc. between the server and internet that might touch the DNS records?<div><br></div><div>True DNSSEC gurus please check my math.</div><div><br><div>DNSvis is correct. You're not sending the proper NSEC3 records. Like the RFC says, "It takes three to tango," or NSEC3 denial of existence. You sent two. For a name where two levels of label don't exists,</div></div><div><br></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><a href="http://l5tz4.1i89a.akritrim.net">l5tz4.1i89a.akritrim.net</a></span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">You should send back three NSEC3 records,</span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">1) NSEC3 record that proves </span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><a href="http://1i89a.akritrim.net">1i89a.akritrim.net</a> (</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px">18QMAAOCT0HPNGCPD9MLONVAK13DS8HT)</span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"> does not exist.</span></div>
<div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">2) NSEC3 record for <a href="http://akritrim.net">akritrim.net</a> (</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px">N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P</span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">).</span></div>
<div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">3) NSEC3 record proving the wildcard, *</span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">.<a href="http://akritrim.net">akritrim.net</a> (</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px">6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1</span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">), does not exist.</span></div>
<div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><br>But you're not, you're only sending two,</span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><br></span></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><a href="http://N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net">N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net</a>. 600 IN NSEC3 1 0 0 - QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT AAAA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY CAA</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><a href="http://67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net">67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net</a>. 600 IN NSEC3 1 0 0 - 6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG</span></p><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><br>Those are two I'd expect to see for (2) and (3), but where is (1)?<br><br></span></div><div><font color="#333333" face="Helvetica, sans-serif"><span style="font-size:12px">But it's weirder. For this name,</span></font></div><div><font color="#333333" face="Helvetica, sans-serif"><span style="font-size:12px"><br></span></font></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><a href="http://ebzoq.ik7ub.akritrim.net">ebzoq.ik7ub.akritrim.net</a></span><font color="#333333" face="Helvetica, sans-serif"><span style="font-size:12px"></span></font></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">You are sending three NSEC3, but one doesn't look like the right one. You should send,</span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><br></span></div><div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">1) NSEC3 record that proves </span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><a href="http://1i89a.akritrim.net">1i89a.akritrim.net</a> (</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px">S2NOKIAA732BLNNSEMCJ8KV74H6ICUEP</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px">)</span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"> does not exist.</span></div>
<div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">2) NSEC3 record for <a href="http://akritrim.net">akritrim.net</a> (</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px">N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P</span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">).</span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">3) NSEC3 record proving the wildcard, *</span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">.<a href="http://akritrim.net">akritrim.net</a> (</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px">6L23GRBE4JIMA1A0G8DSBBUT32V6VCO1</span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">), does not exist.</span></div></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">But these get sent,</span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><br></span></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><a href="http://N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net">N1MI0QA6QNO2L00GAT0PE6PEGGHHI48P.akritrim.net</a>. 600 IN NSEC3 1 0 0 - QDO3A5R9G64L616H1K2FF3SUMFPPRV3J A NS SOA MX TXT AAAA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY CAA</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><a href="http://I559SEFHCJO35HED2LU4N68B44CA281V.akritrim.net">I559SEFHCJO35HED2LU4N68B44CA281V.akritrim.net</a>. 600 IN NSEC3 1 0 0 - KOGD0HOUD9R7BAB4LKQR2E9ALI57C7N0 A AAAA RRSIG CAA</span></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-size-adjust:none;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><a href="http://67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net">67QJN06FLKRQCT38S4FF08EP31NDRL8S.akritrim.net</a>. 600 IN NSEC3 1 0 0 - 6LPNNJIVL1267OV5QQSBFLMFIDHMHJ8P TXT RRSIG</span></p></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><br></span></div><div><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px">The first and last are the same two we got previously and line up with (2) and (3). But we get this other one that doesn't line up with (1). But what I /think/ that might be is the record that would prove </span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"><a href="http://ebzoq.ik7ub.akritrim.net">ebzoq.ik7ub.akritrim.net</a></span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"> (</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0);font-family:Menlo;font-size:11px">IAT39F3MSSGS2D4O255VNHB67V2GCNVI)</span><span style="color:rgb(51,51,51);font-family:Helvetica,sans-serif;font-size:12px"> does not exist in its place.</span></div>
</div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Sun, Apr 20, 2025 at 10:29 AM akritrim® Intelligence™ via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">i didn't specifically ask for your help. i don't know why you replied. yes i do need help but this doesn't mean i can read your mind. <br>
<br>
so let me know what 'bits' of information should i share that will meaningfully help me. ( this is equivalent to saying ' <br>
if you need anything specific let me know.') <br>
<br>
today language models are more context aware.<br>
<br>
and if you don't want to share what do you 'need' then leave it be, i don't want your help.<br>
<br>
<br>
On April 20, 2025 5:17:46 PM UTC, "Ondřej Surý" <<a href="mailto:ondrej@isc.org" target="_blank">ondrej@isc.org</a>> wrote:<br>
><br>
>> On 20. 4. 2025, at 17:57, akritrim® Intelligence™ via bind-users <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>> wrote:<br>
>> <br>
>> anyways, if you need anything specific let me know.<br>
><br>
>Well, I don't really need anything, you've asked for help here, not I. I've already told you what is needed,<br>
>you didn't follow my advice :shrug:. The bits of information you have provided are not sufficient to meaningfully<br>
>help you.<br>
><br>
>Ondrej<br>
>--<br>
>Ondřej Surý (He/Him)<br>
><a href="mailto:ondrej@isc.org" target="_blank">ondrej@isc.org</a><br>
><br>
>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.<br>
><br>
><br>
<br>
akritrim® Intelligence™<br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
</blockquote></div>