It helps to return the NSEC3 record that proves that the wildcard name does not exist.
25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: in authvalidated 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: resuming nsecvalidate 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: looking for relevant NSEC3 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: looking for relevant NSEC3 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 proves name does not exist: 'www.xn--80aswg' 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 indicates potential closest encloser: 'xn--80aswg' 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 at super-domain xn--80aswg 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: in checkwildcard: *.xn--80aswg 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: looking for relevant NSEC3 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: NSEC3 at super-domain xn--80aswg 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: in checkwildcard: *.xn--80aswg 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: nonexistence proof(s) not found 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: checking existence of DS at 'xn--80aswg' 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: checking existence of DS at 'www.xn--80aswg' 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: continuing validation would lead to deadlock: aborting validation 25-Oct-2013 00:36:21.420 validating @0x7fc374c8dc00: www.xn--80aswg DS: deadlock found (create_validator) In message <ce8e9611.39370%[email protected]>, Dan York writes: > On 10/24/13 9:12 AM, "Chris Thompson" <[email protected]> wrote: > > > >At 13:01 23-10-2013, Edward Lewis wrote: > >>My sensors show 4 new gTLDs in the last hour or so...IDN, > >>non-ccTLD...added between 1800 and 1900 UTC. > > > >Not mentioned yet is that all four appeared already signed and with > >DS records in the root zone. > > Funny you should mention that... I just published a post this morning > promoting that fact: > > http://www.internetsociety.org/deploy360/blog/2013/10/4-newgtlds-launched-y > esterday-marks-dawn-of-dnssec-from-the-start-tlds/ > > > >From a DNSSEC-advocacy point of view, this is a great step forward as all > new domains registered under these newgTLDs will at least have the > *option* of being secured by DNSSEC. > > >But... the two Cyrillic gTLDs (xn--80asehdb & xn--80aswg) are a bit > >broken, in that NXDOMAIN responses don't validate properly. Neither > >dnssec-debugger.verisignlabs.com nor dnsviz.net are able to analyse > >validations problems for NXDOMAIN responses, so I am not quite sure > >why yet, but e.g. > > > > dig +dnssec www.xn--80asehdb. > > dig +dnssec www.xn--80aswg. > > > >give SERVFAILs which can be avoided by adding the +cd option. > > Hmmm... interesting. Perhaps some work is still needed on the operational > front there... > > Dan > > -- > Dan York > Senior Content Strategist, Internet Society > [email protected] <mailto:[email protected]> +1-802-735-1624 > Jabber: [email protected] <mailto:[email protected]> > Skype: danyork http://twitter.com/danyork > > http://www.internetsociety.org/deploy360/ > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
