I think I know what is going on. There is a variable ‘maxlabels’ that is used
in the
binary search that optimised the closest enclosure search. That updated value
was being
use later rather than it's original value when determining the NSEC3 that
proves the NOQNAME
resulting in the wrong NSEC3
version: BIND 9.20.8-1+0~20250416.117+debian12~1.gbp1ea9dd-Debian
(Stable Release) (<>)
running on localhost: Linux x86_64 6.1.0-33-cloud-amd64 #1 SMP
PREEMPT_DYNAMIC Debian 6.1.133-1 (2025-04-10)
boot time: Sun, 20 Apr 2025 15:40:59 GMT
last configured: Sun, 20 Apr 2025 15:40:59 GMT
configurat
What does ‘rndc status’ return?
> On 21 Apr 2025, at 13:05, akritrim® Intelligence™ via bind-users
> wrote:
>
> Thank you for your help. it does give insights into the problem.
>
> if you check dnsviz history, this does not happen everytime.
>
> the bind version is BIND 9.20.8-1+0~20250416.11
On Sunday, April 20, 2025 7:29:41 PM CEST akritrim® Intelligence™ via bind-
users wrote:
> i didn't specifically ask for your help. i don't know why you replied. yes i
> do need help but this doesn't mean i can read your mind.
>
> so let me know what 'bits' of information should i share that will
Thank you for your help. it does give insights into the problem.
if you check dnsviz history, this does not happen everytime.
the bind version is BIND
9.20.8-1+0~20250416.117+debian12~1.gbp1ea9dd-Debian
obtained from: https://www.isc.org/download/ —->
https://bind.debian.net/bind
there a
The version of BIND and where you got it would be a good start. Any load
balancers, firewalls, etc. between the server and internet that might touch
the DNS records?
True DNSSEC gurus please check my math.
DNSvis is correct. You're not sending the proper NSEC3 records. Like the
RFC says, "It take
i didn't specifically ask for your help. i don't know why you replied. yes i do
need help but this doesn't mean i can read your mind.
so let me know what 'bits' of information should i share that will meaningfully
help me. ( this is equivalent to saying '
if you need anything specific let me k
> On 20. 4. 2025, at 17:57, akritrim® Intelligence™ via bind-users
> wrote:
>
> anyways, if you need anything specific let me know.
Well, I don't really need anything, you've asked for help here, not I. I've
already told you what is needed,
you didn't follow my advice :shrug:. The bits of inf
Hello Ondrej
There are multiple domains with the error. The idea is not to obfuscate
but give an example which covers all domains with these errors.
These errors are also intermittent.
This is not a permanent error. I have no errors in my logs. The dnssec
configuration is below:
dnssec-pol
I wonder what’s the point of obfuscating the name making people unable to help
you when you are putting the domain name that’s broken everywhere else in your
email:
https://dnsviz.net/d/akritrim.net/dnssec/?rr=all&a=all&ds=all&doe=on&ta=.&tk=
Anyway, you need to provide all the details about th
Hi
I am getting the following error if i test the domain on dnsviz.net.
For example for domain example.org i get :
caikb.6tqs4.example.org/A has errors; select the "Denial of existence"
DNSSEC option to see them.
On checking the denial of existence settings i get:
RRset status
Bogus (1)
ca
11 matches
Mail list logo
