> On Nov 7, 2018, at 6:08 PM, Viktor Dukhovni <postfix-us...@dukhovni.org>
> wrote:
>
> Your DNS is broken. Fix it! At the .CA level you have:
>
> harte-lyne.ca. IN NS dns04.harte-lyne.ca. ; AD=0
> harte-lyne.ca. IN NS dns03.harte-lyne.ca. ; AD=0
> harte-lyne.ca. IN NS dns01.harte-lyne.ca. ; AD=0
> harte-lyne.ca. IN NS dns02.harte-lyne.ca. ; AD=0
> dns01.harte-lyne.ca. IN A 216.185.71.33 ; AD=0
> dns02.harte-lyne.ca. IN A 209.47.176.33 ; AD=0
> dns03.harte-lyne.ca. IN A 216.185.71.34 ; AD=0
> dns04.harte-lyne.ca. IN A 209.47.176.34 ; AD=0
>
> and DS records:
>
> harte-lyne.ca. IN DS 34011 8 1 4d8a16b5fe3dbfafe3de6d9631d5e17bc5264daf ;
> NoError AD=0
> harte-lyne.ca. IN DS 37852 8 1 25f0408ace2e07f38fcb5c04bcb80a542eab59ee ;
> NoError AD=0
> harte-lyne.ca. IN DS 37852 8 2
> 263785e078032bb2c961a8d2c8a5f76477db388ecac46bf7299f88e6368f3c49 ; NoError
> AD=0
>
> Below that things look rather grim, your nameservers need attention.
It looks like NSEC chain issues, breaking denial of existence:
http://dnsviz.net/d/mx31.harte-lyne.ca/W-N3QA/dnssec/?rr=15&a=all&ds=all&doe=on&ta=.&tk=
--
Viktor.
