On Fri, Feb 04, 2022 at 04:25:57PM +0000, Jonathan Sélea via Outages <outages@outages.org> wrote a message of 768 lines which said:
Anyone else seeing dnssec issues on unsigned .se domains? Apparently, if a unsigned domain is followed by a signed domain in the .se zone - the domain wont resolve due to NSEC errors.
Not only. deltacity.se is signed but the DS record also has the strange signature: % dig @a.ns.se DS deltacity.se ; <<>> DiG 9.16.1-Ubuntu <<>> @a.ns.se DS deltacity.se ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16734 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 43b7c3680ea3613a0100000061fd5b79523d4d0ce26efd10 (good) ;; QUESTION SECTION: ;deltacity.se. IN DS ;; ANSWER SECTION: deltacity.se. 3600 IN DS 2371 13 2 ( 10D93CDBC66AB7BDAD1B5DAA0C91C3CAC83FC5E5D0D2 9A4D5C5A60C1029C4C90 ) deltacity.se. 3600 IN RRSIG DS 8 2 3600 ( 20220218000621 20220204111055 30015 se. AAH///////////////////////////////////////// //////////////////////////////////////////// //////////////////////////////////////////// //////////////////////////////////////////// //////////////////////////////////////////// //////////////////////////////////////////// ////////ADAxMA0GCWCGSAFlAwQCAQUABCAPBvXtziUA 4hVkukIixa7pw08KxXpzzylxHdz2eM6gfg== ) ;; Query time: 39 msec ;; SERVER: 2a01:3f0:0:301::53#53(2a01:3f0:0:301::53) ;; WHEN: ven. févr. 04 17:59:38 CET 2022 ;; MSG SIZE rcvd: 407