It may be a bug in BIND and it is certainly a bug in the zone pcextreme.nl.
BIND validating resolvers are unable to get the IP address of v1.pcextreme.nl. I believe this is because of the strange NSEC: tools-newerst.pcextreme.nl. 2315 IN NSEC v2.pcextreme.nl. AAAA RRSIG NSEC which says there is nothing between tools-newerst.pcextreme.nl and v2.pcextreme.nl (and therefore no v1). This is inconsistent since there are also A and AAAA records for v1.pcextreme.nl. I tested with a BIND and an Unbound, as well as with ODVR <https://www.dns-oarc.net/oarc/services/odvr>. Apparently BIND always fail and Unbound always succeed, probably because Unbound is happy with the A record but BIND uses the (unvalidated, since there is no DS in the parent) NSEC to disprove the domain name. So, the zone signature system at pcextreme.nl seems broken. But is BIND right to send back NXDOMAIN? RFC 4035, section 5.4 is not obvious here. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
