Hello, "dig +dnssec txt @b.tld.ma ma." (as do other queries) returns a non- opt-out NSEC3 covering EPNGG6KIP1BA66LLJKNBLULI9PUL8OJ9...LB0AJ7AEMMSB3B556MI0DC1GFDUGO17E. This NSEC3 covers a large number of existing delegations in the zone, denying their existence.
Resolvers using NSEC/NSEC3 aggressively (as described in RFC9077) then end up replying NXDOMAIN for names covered by that range. One example of such a name is afmagroup.ma, which hashes to EUKB329VQPC6CRF4VLLEB9BALQU169UO, falling inside the EPN..LB0 range. I suspect your signer is broken. The offending NSEC3 is returned by all .ma name servers I can find. Can you please investigate? Thank you! Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
