On Fri, Feb 04, 2022 at 04:25:57PM +0000, Jonathan Sélea via Outages <outages@outages.org> wrote a message of 768 lines which said:
Anyone else seeing dnssec issues on unsigned .se domains?
Indeed https://dnsviz.net/d/sportbladet.se/Yf1XbQ/dnssec/
Apparently, if a unsigned domain is followed by a signed domain in the .se zone - the domain wont resolve due to NSEC errors.
Indeed, the NSEC signature is strange: % dig @a.ns.se. +cd +dnssec A Sportbladet.se ; <<>> DiG 9.16.1-Ubuntu <<>> @a.ns.se. +cd +dnssec A Sportbladet.se ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24863 ;; flags: qr rd cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 4e597800e9df28eb0100000061fd57eba6944eceaffbe5ee (good) ;; QUESTION SECTION: ;Sportbladet.se. IN A ;; AUTHORITY SECTION: sportbladet.se. 86400 IN NS dns04.ports.net. sportbladet.se. 86400 IN NS dns01.dipcon.com. sportbladet.se. 86400 IN NS dns02.ports.se. sportbladet.se. 86400 IN NS dns03.ports.se. sportbladet.se. 7200 IN NSEC sportbladet-tv.se. NS RRSIG NSEC sportbladet.se. 7200 IN RRSIG NSEC 8 2 7200 ( 20220217023427 20220204111055 30015 se. AAH///////////////////////////////////////// //////////////////////////////////////////// //////////////////////////////////////////// //////////////////////////////////////////// //////////////////////////////////////////// //////////////////////////////////////////// ////////ADAxMA0GCWCGSAFlAwQCAQUABCDDlM45/p82 gs9EuWI0BODTVEgrkVM5ZrtG98oLVgefGQ== ) ;; ADDITIONAL SECTION: dns03.ports.se. 86400 IN AAAA 2a04:3540:1000:310:287e:f6ff:fe1d:4789 dns02.ports.se. 86400 IN AAAA 2001:19f0:5001:2a:5400:ff:fe38:1e6f dns03.ports.se. 86400 IN A 94.237.33.102 dns02.ports.se. 86400 IN A 45.63.42.179 ;; Query time: 35 msec ;; SERVER: 2a01:3f0:0:301::53#53(2a01:3f0:0:301::53) ;; WHEN: ven. févr. 04 17:44:27 CET 2022 ;; MSG SIZE rcvd: 607