> On Nov 8, 2018, at 10:01 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > My analysis is that some of upstream providers have broken DNSSEC > implementations that don't handle NSEC3 properly or at all, and > therefore "authenticated denial of existence" is not working for > your domain. > > If the problem is still unresolved your choices are: > > * Try switching to NSEC. Delete "NSEC3PARAM" and re-sign > the zone. > > * Find a more competent DNS provider > > * Temporarily disable DNSSEC (remove the DS records at .CA) > until the problems with denial of existence are resolved. > > If DNSSEC is desired, but not critical, I'd do the last first, > then try either or both of the first two, until the nameservers > respond correctly with appropriately signed NSEC or NSEC3 > records for queries that return NoData and NXDdomain.
And the problem does appear unresolved (link is to analysis at a specific time, so won't change when the issue is actually resolved): http://dnsviz.net/d/mx31.harte-lyne.ca/W-RStQ/dnssec/?rr=15&a=all&ds=all&doe=on&ta=.&tk= -- Viktor.
