Re: [dns-operations] Assistance Request: OpenDNS Not Resolving Certain .realtor™ Domains

Wed, 03 Dec 2025 01:48:46 -0800 

I ran a quick test and all BIND 9 versions that I tested (which also included 
stuff like 9.20.0 that was superseded
and 9.11 which is end-of-life and hasn't been touched for a while) also 
SERVFAIL hlaor.realtor queries.

And named reports:

2025-12-03T10:38:59.527+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
2401:fd80:403::122#53
2025-12-03T10:38:59.549+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
2001:502:ad09::3#53
2025-12-03T10:38:59.573+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
2a01:618:403::122#53
2025-12-03T10:38:59.595+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
2610:a1:1009::3#53
2025-12-03T10:38:59.618+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
2001:502:2eda::3#53
2025-12-03T10:38:59.650+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
2610:a1:1010::3#53
2025-12-03T10:38:59.692+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
2a01:618:407::122#53
2025-12-03T10:38:59.733+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
2401:fd80:407::122#53
2025-12-03T10:38:59.756+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
103.49.83.122#53
2025-12-03T10:38:59.780+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
156.154.100.3#53
2025-12-03T10:38:59.802+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
213.248.219.122#53
2025-12-03T10:38:59.824+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
156.154.102.3#53
2025-12-03T10:38:59.847+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
156.154.101.3#53
2025-12-03T10:38:59.878+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
156.154.103.3#53
2025-12-03T10:38:59.920+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
213.248.223.122#53
2025-12-03T10:38:59.962+01:00 no valid RRSIG resolving 'hlaor.realtor/DS/IN': 
43.230.51.122#53
2025-12-03T10:38:59.963+01:00 broken trust chain resolving 
'hlaor.realtor/SOA/IN': 2600:9000:5305:ee00::1#53
2025-12-03T10:38:59.963+01:00 query client=0x7fffe744e000 
thread=0x7fffee1fe680(hlaor.realtor/SOA): query_gotanswer: unexpected error: 
broken trust chain

This feels like there something wrong with the NSEC3 chain, but I haven't been 
able to put a finger on it yet.

Ondrej
--
Ondřej Surý (He/Him)
[email protected]

> On 3. 12. 2025, at 2:47, Viktor Dukhovni <[email protected]> wrote:
> 
> So most likely for some reason the OpenDNS servers don't like the DS
> non-existence proof from the .realtor authoritative servers.  Which is
> odd, because the DNSKEY and DS records of .realtor haven't changed since
> late July 2021.



_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to